Facebook encourages email providers to deploy STARTTLS encryption

As more email servers support encryption the value increases for everyone, researchers from Facebook said

Facebook is pushing for more email providers to use STARTTLS, a technology that encrypts emails as they pass between servers and clients, after an analysis showed that any SMTP (Simple Mail Transfer Protocol) server that adds the feature now would start encrypting over half of its outbound email traffic.

STARTTLS is an extension for several communication protocols, including IMAP and POP3, SMTP, FTP and XMPP and allows a plain text connection to be upgraded to an encrypted one using the TLS (Transport Layer Security) or SSL (Secure Sockets Layer) protocols.

Researchers at Facebook recently analyzed a day's worth of the company's email logs to determine how widely STARTTLS is deployed among email servers around the world. The company is in a good position to run such a test because it sends several billion notification emails every day to user email addresses hosted across millions of domain names.

"We found that 76 percent of unique MX hostnames [email server hostnames] that receive our emails support STARTTLS," the Facebook researchers said Tuesday in a blog post. "As a result, 58 percent of notification emails are successfully encrypted."

SSL certificates are successfully validated for around half of encrypted email traffic and the other half is "opportunistically encrypted," the researchers said.

By opportunistic encryption Facebook refers to encrypted connections that are established despite the SSL certificate presented by the server not passing strict validation criteria. This can happen if the certificate is not signed by a trusted certificate authority, is expired or was not issued for the host name where it was used.

The Facebook researchers found that for over 99 percent of emails that were encrypted using opportunistic encryption the reason for certificate validation failures was a hostname mismatch, the certificates being otherwise acceptable.

Seventy-four percent of MX hosts that supported STARTTLS provided perfect forward secrecy (PFS), a property of some TLS cipher suites that prevents the decryption of previously captured traffic if the server's private key is later compromised.

The majority of email traffic sent by Facebook to servers with STARTTLS support was encrypted with the ECDHE-RSA-RC4-SHA and DHE-RSA-AES256-SHA cipher suites, but that was probably the result of those suites being preferred by the major email providers. When counted by unique deployments, the majority of servers used DHE-RSA-AES128-SHA.

The second most prevalent cipher suite by unique server IP addresses was AES128-SHA, which is concerning because it does not provide perfect forward secrecy, the Facebook researchers said.

PFS has become an increasingly recommended feature for TLS deployments, amid growing concerns over the past year of widespread Internet surveillance by intelligence agencies like the U.S. National Security Agency and the U.K.'s Government Communications Headquarters.

The analysis carried out by the Facebook researchers shows that STARTTLS is already widely supported by email servers, even though there are certificate management issues that could be resolved.

"We see two high priority areas for improvement," the Facebook researchers said. "First, we encourage the industry to work together to develop better tools for preventing mismatched certificates. Second, we encourage everyone to deploy support for opportunistic encryption via STARTTLS."

"A system deploying STARTTLS support for the first time can expect more than half of its outbound email to be encrypted," they said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacyFacebookdata protectionencryptiononline safetypki

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender’s best-in-class security solutions have been awarded Product of the Year. Get cybersecurity that 500 MILLION users already have and trust!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?