Fwd: E-mail Encryption - S/MIME vs TLS

["kevin fielder" <kevin.fielder () gmail com>]

Hi

The best solution will depend on what you are trying to achieve.

As mentioned, TLS is usually implemented between two email gateways so
would provide a secure mechanism for transporting emails between two
networks that are each trusted internally (as the mails are not
encrypted when stored on the servers or clients).

S/MIME will mean the emails are encrypted a stage further and will not
become unencrypted until at the client.

Another option you may want to consider is actually encrypting the data
separately as part of the email process with a product such as PGP as
this allows the recipient of the mail to easily store the data in an
encrypted manner thus protecting it at the point of storage as well as
in transit.

It all depends on the level of risk / security and along with usability
/ transparency to the user levels that are required or acceptable in
your business.

Cheers

K

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: 07 June 2007 12:41
To: security-basics () securityfocus com
Subject: Re: E-mail Encryption - S/MIME vs TLS

On 2007-06-06 Danux wrote:
> Hi experts, we are in the way of implement E-mail Encryption, by now
> we have two proposals:
>
> S/MIME and TLS, we think the last one is better.
>
> I would like to know if you have a better solution?

Neither is better or worse than the other, because they do different
things. S/MIME enrypts the content of your e-mail, whereas TLS does
encryption on the transport level (i.e. encrypts the transport of an
e-mail between two hosts). Usually you want both.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq