As email moved outside the realm of educational institutions and into the realm of business and everyday use, the need for increased security became apparent. To address those concerns, email clients added support for various encryption protocols, including SSL and TLS. Thunderbird supports both protocols, but implements them slightly differently. Your choice can significantly affect your security, depending on the version of Thunderbird you are using.
An Overview of SSL
SSL is a protocol designed to protect client-server communication. The main types of encryption protocols are symmetric and asymmetric, or public-key, cryptography. Because each type has its own advantages, SSL uses a combination of symmetrical and asymmetrical encryption. When an email client connects to a secure server, the server gives the client a copy of its public, asymmetric key. The client then generates a symmetric key and uses the server’s public key to encrypt it for transit back to the server. When the server receives it, it uses its private key to decrypt the symmetric key and establish a secure connection. From this point forward, all communication is encrypted with the symmetric key. Due to this hybrid approach, each session is protected by a uniquely generated symmetric key.
TLS: SSL’s Successor
TLS is the direct successor to SSL. On a basic level it uses a virtually identical approach as SSL, with each session negotiated and uniquely encrypted. On a technical level, TLS is newer version of the protocol that has a number of improvements and refinements over its predecessor. As an added bonus, while it appears that the NSA has compromised SSL, there is no evidence to date that they have compromised the newer TLS.STARTTLS:
The Confusion Begins
Many email programs, including Thunderbird, reference STARTTLS in regard to email encryption. STARTTLS is not a third encryption protocol, but a method of performing the initial “handshake” to establish an encrypted connection. As encrypted communication became widespread, ports were assigned specifically to handle the secure traffic. STARTTLS is designed to upgrade plain text communication to secure, encrypted communication without using a separate port.
Where Thunderbird Fits In
All recent versions of Mozilla Thunderbird support SSL and TLS, although their implementations differ. Some versions offered “SSL,” “TLS” and “TLS If Available.” The last option poses a potential security risk, as it continues with the session even if the server does not support TLS. A plain text session is started and the client asks the server if it supports TLS. If it does the connection is upgraded to an encrypted session. If it does not, Thunderbird will continue the session in plain text, making it possible for your username, password and emails to be intercepted. In versions of Thunderbird with the “TLS If Available” option, you should choose “SSL” to ensure all communication is encrypted. If the server does not support SSL, the session is terminated without any private data being transmitted. Later versions of Thunderbird remove the “If Available” feature in favor of “SSL/TLS” and “STARTTLS.” The main difference between those two options is that the first will allow Thunderbird to use the older protocol if the server does not support TLS. For maximum capability, use this option. Use “STARTTLS” to force Thunderbird to use the newer, more secure protocol. In either case, newer versions of Thunderbird will terminate the session if the server does not support secure communication.