The eFax Blog

The Difference Between TLS and SSL Encryption | eFax Corporate  

June 22, 2017 - by eFax Corporate Team

One of the many benefits of working with eFax Corporate is the level of security and data protection that we offer. For those involved with sensitive or highly confidential information, a secure communications network is vital, particularly for the legal, finance and medical industries.

But what many businesses don’t realise is that the level of protection a cloud faxing service offers can vary depending on the type of encryption that is employed.

Can Your Fax Encryption Create Security and Compliance Issues?

The two most common types of encryption technologies are SSL (Secure Sockets Layer) and TLS (Transport Layer Security). These are both cryptographic protocols designed to encrypt and authenticate data while it is in transit over the Internet, and are widely used in applications such as web browsers, email, online faxing services, Voice over IP (VoIP) and websites.

business people group on meeting at modern bright office interior

However, while the terms SSL and TLS are often used interchangeably, they are in fact quite different. These differences are profound, and can result in your digital communications being hacked or falling out of compliance with government regulations.

SSL is, quite simply, out of date. Would you trust your company’s proprietary or government-regulated data to a transmission protocol that was developed over 20 years ago? Probably not, and for good reason.

Even if you don’t know the specific details about data encryption and secure transmission, you intuitively know that hackers and cyber criminals have become much more sophisticated since the turn of the millennium — and so have the security technologies used to stop their attacks. It simply wouldn’t make sense to safeguard your most important digital assets with such outdated methods.

Another issue is that many fax servers do not encrypt their hard drive’s data effectively, which creates another security weak point for the company. This can be particularly troublesome if the server is connected to the organisation’s network and that network is hacked.

These professional internet criminals have the ability to hack into your company’s back-end system and steal valuable information, such as customer data and credit card details. This is of grave concern for businesses in the financial sector as well as large e-commerce retailers that store user data.

businessman hand selecting cloud security concept

SSL (Secure Socket Layer) Explained

SSL works by encrypting the transmission path between a client and a server, and many companies still transmit their data using SSL — a protocol whose latest version, SSL 3.0, was released in 1996.

While it was the state of the art in its day, SSL 3.0 has since been shown to be vulnerable to the so-called “Man-in-the-Middle” attack, which would allow an interloper to insert themselves in the middle of a communication between two parties and quietly observe, or even alter, the contents of that communication without either party being aware. For example, a funds transfer from one bank account to another could be redirected to a different account at an off-shore bank simply by altering a few digits in the message.

This demonstrated obsolescence of SSL has led such major Internet players as Google and Mozilla to label the protocol as no longer

secure, and it has been officially deprecated by the Internet Engineering Task Force (IETF), the international body that creates the technical specifications on which the Internet operates.

In the IETF document titled “RFC 7568: Deprecating Secure Sockets Layer Version 3.0”, it is stated in no uncertain terms that SSL must not be used, because any version of TLS is more secure than SSL.

Transport Layer Security (TLS) Explained

Transport Layer Security is basically the standards-track successor to SSL. Picking up where SSL 3.0 left off, TLS 1.0 was released by the IETF in 1999, and closed the security loopholes that were present in its predecessor.

Although significantly improved over SSL, TLS version 1.0 and even 1.1 have, over time, been shown to have vulnerabilities to certain types of attacks by ever more sophisticated hackers. That is why the latest version, TLS 1.2, is strongly recommended for compliance with NHS and other related data privacy guidelines, which require that personal health information, when transmitted across the Internet, be protected through encryption.

The purpose of the TLS protocol is to allow client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering or message forgery, by creating a secure, authenticated communications channel (or ‘tunnel’) between sender and receiver that is protected by the strongest encryption available today.

By ‘encryption,’ we mean a cryptographic process that renders a communication unreadable and indecipherable by an outside party. Only the person for whom an encrypted message is intended will have the key that deciphers the coded message. And by ‘authenticated’ we mean a verification process which ensures that the parties to the conversation are who they claim to be and not impersonators.

This process of authentication, and setting up an encrypted communications channel, all happens transparently, as a result of a series of negotiations between the client (typically a web browser), and the server for a secure website, in a matter of seconds. The person attempting to connect to a secure website (as indicated by the HTTPS address prefix), will know they were successful when they see the lock symbol appear in the address bar of their web browser.

TLS can also be used for sending and receiving encrypted email, in which case the secure communications link will be established between a pair of email servers. This is also the process used to secure eFax transmissions across the Internet.

Again, the process is completely transparent to the people who are communicating over that link, with the exception that they may get an error message if their systems fail to establish a secure connection.

What TLS Encryption Means For Your Fax Security

First launched in 2016, the National Cyber Security Strategy is aimed at protecting Britain’s small businesses from all manner of cyber-attacks. The Government’s five-year-plan aims to raise awareness of the risk that legacy office equipment imposes. The strategy also aims to actively encourage British businesses to upgrade their digital security to fall in line with modern best practices.

The National Cyber Security Centre’s website recently published a blog post on how to use TLS to protect data, which strongly recommends TLS encryption for businesses with an online presence.

While improved data and internet security should be paramount for any online business, what exactly does this secure data encryption mean for your company’s faxing infrastructure?

Data Security and Cloud Faxing

If you’re considering a cloud faxing solution for your business, then it is vital to know what level of security is being offered and if it’s fully compliable with current regulations.

Before signing up with any provider, determine what level of fax security they offer and what protocols are being used. TLS and AES (Advanced Encryption Standard) are the two protocols which you should be most aware of.

  1. TLS 1.2 encryption is the maximum-security protocol used to transmit electronic faxes, whether that’s by email or online.
  2. AES (Advanced Encryption Standard) 256-Bit, is the recommended form of ‘strong’ encryption of your fax data while at rest, such as when your faxes are being stored.

Luckily, both of these encryption protocols can be found in eFax Corporate’s cloud faxing service. With eFax Corporate your faxes are highly secure, while in transit or at rest, in the secure cloud storage system.

eFax Corporate is a leading provider of cloud faxing services and has become a trusted fax partner for numerous high-profile businesses in the most heavily regulated sectors.

To learn more about eFax Corporate, and what it can do for your company, be sure to contact us today.