TLS Not Important for Privacy & Secure Messaging

Vendors make out that TLS support is important, that it helps you satisfy privacy regulations. Eg, see

What TLS does is to encrypt emails sent between SMTP MTAs. So it does help privacy, to the extent that it protects you from "man-in-the-middle" attacks.

The trouble is that for most organizations, the chance of such man-in-the-middle attacks is pretty small. If, say, you’re a vendor of pharmaceutical products, it’s most unlikely that your competitors can listen in. This is true in much the same way that it’s unlikely competitors will listen in to your phone conversation, as it passes between phone companies.

So TLS support sounds good. But in reality, for most organizations, it’s pretty irrelevant to privacy and compliance.

Exceptions occur where governments might intervene. Eg, if you’re Exxon, discussing an oil rights negotiation with a branch office in a central Asian state, then you might reasonably fear that the local ISP might be compromised. Here, TLS would be valuable for communications with your local branch.

One Comment

  1. Posted June 15, 2005 at 12:31 PM | Permalink

    TLS can also encrypt between mail clients and MTAs. All-singing all-dancing PKIs have mostly failed, and easy, incremental, cheap approaches might not be so bad. Given the vaguery of the encryption requirements in HIPAA, SOX, GLB, etc., TLS offers a cheap answer to compliance; leaving it turned off, when it’s so easy to turn no, does not.

Post a comment

You must be logged in to post a comment. To comment, first join our community.