SSL vs. TLS vs. STARTTLS Encryption

Email is one of the most important and widely used communication mediums, with more than 300 billion messages sent and received every day in 2020.[1] It’s also a highly desirable attack vector for hackers who target it for phishing attacks, to steal sensitive information and to spread malware and spam. In 2020, email threats rose by 64% year over year, with employees clicking on three times as many malicious emails than they did pre-pandemic, according to Mimecast’s State of Email Security report. Further, threat actors are launching more sophisticated and complex attacks, making it more difficult for humans to detect these attacks. It’s critical that organizations fortify email to prevent data loss with the appropriate email security protocols.

What Are Email Security Protocols?

Email security protocols are techniques and procedures that use cryptography to protect email accounts and their messages against unauthorized access. Because email can contain sensitive and confidential information — such as user names, passwords, bank account details and other personally identifiable information — it’s important that all messages are encrypted. Encryption protects the content from being read by anyone other than the intended recipients.

What Are SSL, TLS, and STARTTLS?

Three standard email security protocols are used to secure email transmission: Secure Sockets Layer (SSL), Transport Layer Security (TLS) and STARTTLS.

SSL vs. TLS: SSL and its successor, TLS, are protocols that encrypt internet traffic to make it secure for communication. Without encryption, anyone could read the confidential information being transmitted. With SSL and TLS, if an email is intercepted at any point, it’s rendered useless because its contents are encrypted. It’s common for these two technologies to be referred to as just SSL or SSL/TLS.

SSL/TLS work by initiating a series of handshakes with an email server when it receives an email. A handshake is an agreement between an email client — such as Gmail or Outlook — and a server to agree on the details of their connection. Handshakes require a number of detailed steps, from determining what version of SSL/TLS will be used and how the communication will be encrypted to establishing that a secure connection is in place before transferring the data.

After the handshake is completed, the email server returns a TLS digital certificate and public encryption key to the email client. The email client then verifies the certificate and creates a shared secret key (SSK), which is returned to the server. The server decrypts the SSK, which allows the transmission of emails.

STARTTLS: Before email encryption was standard, many connections between email clients and servers were insecure. The development of STARTTLS helped reduce the risk of stolen information by upgrading an existing insecure connection to a secure one using SSL/TLS. While STARTTLS has TLS in its name, it’s not necessary to use TLS; users can choose SSL instead.

The difference between SSL/TLS and STARTTLS is the latter is not a protocol but a command issued between an email program and a server. STARTTLS notifies a mail server that the contents of an email need to be encrypted. If the mail is intercepted, its contents and metadata are scrambled and difficult to decode. Once the transmission is received, the data will be decrypted.

There are drawbacks to STARTTLS, however. For example, if the command fails, the email will not be encrypted. Email clients are also susceptible to “man-in-the-middle” attacks in which a hacker steals information by intercepting communications through eavesdropping or modifying traffic traveling between the two parties. This is possible because during the initial connection between the client and the server using STARTTLS, the IP addresses are not yet encrypted.

The Need for SSL, TLS and STARTTLS  

Because insecure email is a common attack vector for cybercriminals, it’s critical to use email security protocols like SSL/TLS and STARTTLS. Without this measure, users subject their emails and the sensitive data they contain to the possibility of interception, theft and email domain spoofing.

With SSL/TLS or STARTTLS in place, however, cybercriminals who intercept an email aren’t so lucky. These emails can’t be unencrypted without the keys to decode it, which only the email server and client have.

SSL vs. TLS vs. STARTTLS Port Numbers

A port number identifies a specific process for how a message should be forwarded when it arrives at a server. Email clients might need alternative port numbers based on the type of connection and the encryption that’s supported.

Email technologies like Internet Messaging Access Protocol (IMAP), Post Office Protocol (POP), and Simple Mail Transfer Protocol (SMTP) were all used when SSL/TLS was developed. At that point, plain-text connections were expected across ports 143, 110 and 25. While many services supported using STARTTLS to upgrade the connections on these ports, some didn’t. In those cases, transmitting sensitive information in plain text was a risk because it could be stolen if an attacker was lurking.

To improve security, three new ports were created that expected SSL/TLS connections from the onset and refused attempts to transmit information in plain text. This is called “implicit TLS,” which means both sides of a connection are expected to support encrypted connections.

To support only one port, STARTTLS emerged as a way for a client to connect over plain text, then upgrade to a secure connection that used SSL/TLS. Ultimately, this posed a number of client and security problems. To remedy this, most services continued to use plain-text connections on one port number and offer secure, implicit SSL/TLS connections on a second one. Today, most users use implicit SSL/TLS with port 465 and upgrade their connection with STARTTLS using port 587.

The Bottom Line

Failing to secure email places organizations at high risk for cyberattacks and data loss — events that can be both devastating and costly to recover from. SSL/TLS and STARTTLS are a few ways to secure email and prevent cybercriminals from intercepting messages as they travel over the email network. Organizations with these measures in place benefit from enhanced email security and data protection.

[1] “Number of sent and received e-mails per day worldwide from 2017-2025,” Statista