M3AAWG Recommends TLS
SSL or Secure Sockets Layer is protocol designed to provide a secure way of transmitting information between computer systems. Originally created by Netscape and released publicly as SSLv2 in 1995 and updated to SSLv3 in 1996. TLS or Transport Layer Security was created in 1999 as a replacement for SSLv3. TLS and SSL are most commonly used to create a secure (encrypted) connection between your web browser and websites so that you can transmit sensitive information like login credentials, passwords, and credit card numbers.
M3AAWG published a initial recommendation that urges the disabling of all versions of SSL. It has been a rough year for encryption security, first with Heartbleed vulnerability with the OpenSSL library, and again with POODLE which stands for “Padding Oracle on Downgraded Legacy Encryption” that was discovered by Google security researchers in October of 2014. On December 8, 2014 it was reported that TLS implementations are also vulnerable to POODLE attack, however unlike SSLv3, TLS can be patched where as SSL 3.0 has a fundamental issue with the protocol.
Due to a number of known security issues with SSLv2 and SSLv3, M3AAWG urges the industry to disable all versions of SSL.
M3AAWG are not the only ones calling to leave SSL behind, Firefox disabled all versions of SSL in Firefox 34, Microsoft will disable fallback to SSL 3 in IE11 starting in February 2015 and Apple’s Safari OSX 10.8 and iOS 8.1 have removed all support for SSLv3.
As more mailbox providers enable TLS encryption, it will protect emails in transit from eavesdropping. M3AAWG recommends starting with TLS version 1.2 for mail servers.