Facebook encourages email providers to deploy STARTTLS encryption

As more email servers support encryption the value increases for everyone, researchers from Facebook said

Facebook is pushing for more email providers to use STARTTLS, a technology that encrypts emails as they pass between servers and clients, after an analysis showed that any SMTP (Simple Mail Transfer Protocol) server that adds the feature now would start encrypting over half of its outbound email traffic.

STARTTLS is an extension for several communication protocols, including IMAP and POP3, SMTP, FTP and XMPP and allows a plain text connection to be upgraded to an encrypted one using the TLS (Transport Layer Security) or SSL (Secure Sockets Layer) protocols.

Researchers at Facebook recently analyzed a day's worth of the company's email logs to determine how widely STARTTLS is deployed among email servers around the world. The company is in a good position to run such a test because it sends several billion notification emails every day to user email addresses hosted across millions of domain names.

"We found that 76 percent of unique MX hostnames [email server hostnames] that receive our emails support STARTTLS," the Facebook researchers said Tuesday in a blog post. "As a result, 58 percent of notification emails are successfully encrypted."

SSL certificates are successfully validated for around half of encrypted email traffic and the other half is "opportunistically encrypted," the researchers said.

By opportunistic encryption Facebook refers to encrypted connections that are established despite the SSL certificate presented by the server not passing strict validation criteria. This can happen if the certificate is not signed by a trusted certificate authority, is expired or was not issued for the host name where it was used.

The Facebook researchers found that for over 99 percent of emails that were encrypted using opportunistic encryption the reason for certificate validation failures was a hostname mismatch, the certificates being otherwise acceptable.

Seventy-four percent of MX hosts that supported STARTTLS provided perfect forward secrecy (PFS), a property of some TLS cipher suites that prevents the decryption of previously captured traffic if the server's private key is later compromised.

The majority of email traffic sent by Facebook to servers with STARTTLS support was encrypted with the ECDHE-RSA-RC4-SHA and DHE-RSA-AES256-SHA cipher suites, but that was probably the result of those suites being preferred by the major email providers. When counted by unique deployments, the majority of servers used DHE-RSA-AES128-SHA.

The second most prevalent cipher suite by unique server IP addresses was AES128-SHA, which is concerning because it does not provide perfect forward secrecy, the Facebook researchers said.

PFS has become an increasingly recommended feature for TLS deployments, amid growing concerns over the past year of widespread Internet surveillance by intelligence agencies like the U.S. National Security Agency and the U.K.'s Government Communications Headquarters.

The analysis carried out by the Facebook researchers shows that STARTTLS is already widely supported by email servers, even though there are certificate management issues that could be resolved.

"We see two high priority areas for improvement," the Facebook researchers said. "First, we encourage the industry to work together to develop better tools for preventing mismatched certificates. Second, we encourage everyone to deploy support for opportunistic encryption via STARTTLS."

"A system deploying STARTTLS support for the first time can expect more than half of its outbound email to be encrypted," they said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags online safetysecurityencryptiondata protectionprivacypkiFacebook

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?