Google’s Warning (And Why It’s Not Enough)


Thought Leadership

Google’s Warning (And Why It’s Not Enough)

Kristy McDaniel Baia

Kudos to Google for alerting Gmail users when they are about to send or receive mail that is not protected by Transport Layer Security (TLS). It’s certainly a step in the right direction, but it promotes the idea that TLS equals encryption.


If you’ve ever ordered a product or service online and had to give your credit card number or other sensitive information, odds are you did so through a secure server. In the past, this connection likely relied on secure socket layer (SSL) protocols to encrypt your information from the time it left your server until the time it reached the company’s. A hacker who intercepted that message somewhere in between, would find it nearly impossible to decode.

Transport Layer Security (TLS) is a application security protocol that has replaced SSL and become the standard for insurance companies, lawyers, accountants, doctors and others who send and receive sensitive data from their clients. However, there are some weaknesses within TLS that users — especially industry groups — should be aware of before blindly adopting it for compliance reasons.

The issue with TLS isn’t so much the level of security it offers, but more so where that security ends. TLS is a server-to-server protocol that encrypts messages in transit. As an analogy, think of it as having a valuable package delivered in an armored car. However, that car stops at the end of your driveway, leaves the package and drives away. Likewise, with TLS, you have secure email right up until it reaches the receiving server. At that point, anyone can access it.

In other words, someone who hacks your mailbox would be able to see and read the unencrypted message, even though one who intercepts it between servers cannot.

With TLS, your email is only as secure as your server. For some companies, that might not be a huge problem, but for small companies — think doctors’ offices, insurance agencies, individual lawyers and accountants — it could be a huge issue. This is especially true now that TLS has become the standard and these companies are sometimes led to believe that’s all they need to have a secure email system.

Make no mistake, TLS is a step in the right direction. In fact, AppRiver will always use a TLS connection if it’s available. However, if your company deals with sensitive information, CipherPost Pro™ from AppRiver might be another, even more reliable way to protect your customers. CipherPost Pro protects data from user to user rather than server to server.

Based on the analogy above, CipherPost Pro offers the same kind of “armored car” protection in transit. But with CipherPost Pro, it’s like having an armed guard come knock on your door, check your ID and place the package in your hands.

The practical effect is that someone who hacks your server will find the information as useless as the one who steals your data en route.

Do you need this level of protection? That all depends on how valuable your clients’ information is to someone who fraudulently receives it — or, more to the point, how valuable your customers are to you.