Communicating safely in a hostile world with Transport Layer Security and x509

The internet is a hostile environment yet it's straightforward to communicate safely with Transport Layer Security and x509.

From the days of Elizabeth I there have been secret messages and those who want to intercept them, it was once a matter of life and death. These days it's personal privacy and e-commerce and since the widespread adoption of Public Key Infrastructure (PKI) and X.509 certificates it's straightforward and free to ensure the most sensitive information travels across the open internet in safety, even if it goes through hostile territory.

It makes sense to trust your own servers, if they're compromised then all may be lost which is why we use secure communications such as OpenSSH to communicate with them. Hardening SSH the secure shell is a first step to ensure only trusted users access a system.

As they're local, any of the ip addresses 127.0.0.1 or ::1 for IPv6 are usually considered to be secure, as are local sockets such as /tmp/.s.PGSQL.5432. File permissions and Network bridging are areas to be wary of.

Why would you not want TLS?

Transport Layer Security is usually checked to ensure a domain matches the certificate. Local addresses don't have a domain so it's not applicable. There are also efficiency gains, for example it doesn't make sense to have the overhead of TLS security when running a Roundcube mail server with a DBMail IMAP server if they're both running locally on the same machine or subnet as long as that subnet is secure.

What's important is communication to the outside world, so a Roundcube mail server should be secured with TLS as in https://mail.example.com to ensure privacy for users accessing their emails, and the DBMail IMAP server should be communicating with the database securely using TLS to prevent eavesdropping.

There are many ways to monitor suspicious activity and prevent unwanted access and the DBMail docs offer an example with Fail2Ban https://dbmail.org/en/manage/defence/imap-defence/.

Transport Layer Security has been available for many decades and is built into almost every service.

Security is for everyone. If you haven't already done so, obtain or create a certificate (they're free) and configure it today.