Opportunistic TLS

We had to upgrade our mail gateway/anti-spam software on Sunday because one of our vendors requires us to use encryption when exchanging emails with them.  The easiest solution is to use opportunistic TLS, where the server will always try to connect to the other server using the TLS protocol.  If the other server supports TLS, then traffic is encrypted.  If not, then the email is sent using just regular SMTP without encryption.

This is actually the first time I’ve even heard of opportunistic TLS, I’m used to seeing S/MIME and PGP when reading about email encryption.  What I like about this is encryption/decryption is done on the server side so the users don’t have to do anything different when sending emails and we don’t have to issue a certificate to each user and manage the keys.

If you’re using Exchange Server 2007, opportunistic TLS is already enabled by default.  You can check this by entering Get-SendConnector “Send Connector Name” | Format-List in the Exchange Management Shell.  Look for the IgnoreStartTLS parameter, if it’s set to false then opportunistic TLS is enabled.

To check whether a server supports TLS, telnet to the server on port 25 and check if the server supports the STARTTLS command, for example:

telnet mail.global.frontbridge.com 25

This server supports TLS

Here’s an example of the header of an email that was delivered with TLS enabled (I modified the IP addresses and names for privacy reasons):

Received: from mailgateway01 (1.2.3.4) by mailserver01.domain.com (1.2.3.5)
with Microsoft SMTP Server (TLS) id 8.1.263.0; Mon, 16 Mar 2009 18:05:18
-0400
Received: from mail.global.frontbridge.com ([65.55.88.22]) by mail.somedomain.com
([1.2.3.4]) with ESMTP (TREND IMSS SMTP Service 7.0; TLS:
TLSv1/SSLv3,128bits,AES128-SHA) id 06456c96000057da for <jdoe@microsoft.com>;
Mon, 16 Mar 2009 18:05:16 -0500

UK Government Laptop Sold on eBay, Including a Confidential Disc

More of these news about confidential data getting lost…

A local PC repair firm found the disc under the the laptop’s keyboard when the laptop was put in for repair.   The disc had the words “Home Office” and “Confidential” written on it.

The good news is, at least this time both the laptop and the disc have been encrypted.

Read the full article here.

Related Posts:

Backup Tape Lost - 650,000 Customers Affected

Laptop with Data on  600,000 People Stolen

TrueCrypt Disk Encryption Software

I’m sure you’ve heard or read many stories before about laptops getting stolen containing thousands/hundreds of thousands of records on patients/customers/etc. Those records usually include very sensitive information such as a person’s Social Security Number. And a lot of times the data on those stolen laptops were not encrypted!!! Now those people are at high risk of identity theft. This wouldn’t have been such a big deal if they took an extra step of saving the data in an encrypted volume using a strong encryption algorithm. This is very easy and simple to do, too, and there are many encryption software out there.

The one I would recommend is this free open-source disk encryption software called TrueCrypt. I’ve been using this software for about a year and a half now and never had a problem with it. It’s very easy and simple to use and supports different encryption algorithms, including AES-256 (Advanced Encryption Standard, 256-bit key) which is the encryption standard adopted by the U.S. government.

My new laptop actually came with its own encryption software but I still prefer TrueCrypt better because of its simplicity. What you basically do is you create a volume using the software by specifying how much disk space you want to allocate for it, the type of encryption to use, and the volume password (make sure you choose a strong password!!!). Then this encrypted volume would look just like a regular file on your hard drive. You then use TrueCrypt to mount that volume to your OS (it will prompt you for the volume password that you created earlier). The mounted volume would look just like a regular hard disk drive and you use it just like a regular hard disk drive as well. The encryption is done on-the-fly. You can also set TrueCrypt to automatically mount the volumes on startup. TrueCrypt is available for Windows Vista (32-bit and 64-bit)/XP/20003/2000 and Linux.

You can download TrueCrypt from here for free.

Cost of TrueCrypt? $0. Cost of your stolen data falling into the wrong hands? Well, that depends, but it could be HUGE!!!