14
3
It's strangely difficult to find out exactly how SSL works with email, at least insofar as answering my specific question - when I connect to gmail using SSL, I understand that my connected is secure and thus data is all encrypted between MY COMPUTER and the GMAIL SERVER. However, is that all SSL does? For example, when I open an email on my computer, the data between Mountain View (or whatever) and my house is encrypted? Would that mean then if I email my friend who also uses gmail with SSL/secure gmail enabled, then if I send an email also with an attachment to his gmail account that email as well as the attachment are encrypted at my computer, sent to GMail server, and then provided my friend uses SSL then he can security acquire the email too? So there is no need for those firefox encryption addons? Are those just for more robust encryption algorithms?
So in summary, here is what I think I have learned (and provides a summary for others reading). PLEASE CORRECT ME IF I AM WRONG:
gmail sends emails to google servers with HTTP. gmail also retrieves emails from google servers with HTTP. when you connect to the google servers using https (as opposed to http) then the connection between your gmail client and the gmail servers is secure and data is encrypted going back and forth between the two.
when using a client (thunderbird for example) SMTP is used to send emails, and IMAP/POP are used for retrieving emails. At the add-on/options level, you can tell these clients to use TLC for both the SMTP and IMAP/POP steps.
The google servers probably don't use TLS with SMTP when bouncing emails back and forth amongst their servers.
Conclusion - if using gmail, always use HTTPS but know there is no encryption between google's servers, but in the 'outside world' the connection between google clients (as long as using https) is secure. if using thunderbird (or something else) turn on TLS.
Is this correct?
I will add one caveat the SSL would prevent a man in the middle phishing scam but it is not guaranteed to prevent a simmilar name phishing attack. – EBGreen – 2009-08-19T14:15:20.310
so if I understand this, SSL provides a secure HTTP connect (hence https), but email is not sent over HTTP, it is sent over SMTP, and THAT is not encrypted by SSL? – Tony Stark – 2009-08-19T14:23:12.433
1so SMTP may not be a secure protocol, but when SSL is set up, does that cover SMTP too? And IMAP and POP would not not be covered/encrypted by SSL? – Tony Stark – 2009-08-19T14:29:30.550
@hatorade I clarified in the sentence after the bullets, and expanded on those. – jtimberman – 2009-08-19T14:29:34.840
@hatorade I also clarified about imap/pop. I hope this answer helps, good question! – jtimberman – 2009-08-19T14:34:10.513
@jtimberman sorry for being persistent, but it really helps me to understand by breaking it down a lot.
When I sent an email using gmail using https (and i just learned TLS is aka SSL), which protocol is that email sent from my comp to google? HTTP always? I read on wikipedia clients can use SMTP.
Likewise, with a https connection to gmail, using IMAP/POP to get emails also encrypts them.
Therefore, the only loop holes in encryption are: -if me or my friend in gmail isn't using https -the sending of the email between google's internal mail servers over normal SMTP – Tony Stark – 2009-08-19T14:41:37.363
@hatorade yes when you use the webmail interface, you're using HTTP to send from your browser to the gmail server. IMAP/POP are protocols used by mail clients (like Thunderbird/Outlook) to retrieve mail. The mail between google's internal mail servers is via SMTP (see 'with SMTP' in the received lines). – jtimberman – 2009-08-19T14:45:20.620