NHS email encryption

[Adrian Midgley]

Dave Howe wrote:
> Adrian Midgley wrote:
>> Is it possible to document that (I mean further than just saying it - I
>> believe you of course)?
>
> I will check when I am back at work next week - we "resolved" the
> problem by forcing use of HELO on the systems affected, but could turn
> that off temporarily (or just use puTTY for the exchange :)
>
>> And can I confirm that this would mean that the system being presented
>> to doctors and all other NHS workers as providing encrypted ("end to
>> end" no less) transmission to collect mail by (webmail and) POP3 and
>> IMAP4 over SSL so as to safely carry patient-identifiable information
>> between places in the NHS network and places outside it, does not
>> provide that encryption when operated as described?
>
> When connected to from outside of the NHS? presumably that is outside
> of their secure zone, so isn't affected either way by any assertions
> they have made regarding nhs-only mail.
>
But the assertion made to us is that nhs.net mail gives us secure access
to our mail (IE maintaining "end to end" encryption) from eg home, when
we read it collecting it from/using the nhs.net servers which are
provided for access to internal mail from outside.


> I think it is more that they don't want to do TLS to anyone outside of
> their "trusted domain". My understanding is that TLS works fine for
> "internal" users, but they don't know how to turn off the STARTTLS ad
> for ehlo for external users without also disabling it for internal...
>
Again, this sounds a) bizarre, and b) not unlikely.  But it would
suggest that certain specific promises were not being kept.