Facebook encourages email providers to deploy STARTTLS encryption

As more email servers support encryption the value increases for everyone, researchers from Facebook said

Facebook is pushing for more email providers to use STARTTLS, a technology that encrypts emails as they pass between servers and clients, after an analysis showed that any SMTP (Simple Mail Transfer Protocol) server that adds the feature now would start encrypting over half of its outbound email traffic.

STARTTLS is an extension for several communication protocols, including IMAP and POP3, SMTP, FTP and XMPP and allows a plain text connection to be upgraded to an encrypted one using the TLS (Transport Layer Security) or SSL (Secure Sockets Layer) protocols.

Researchers at Facebook recently analyzed a day's worth of the company's email logs to determine how widely STARTTLS is deployed among email servers around the world. The company is in a good position to run such a test because it sends several billion notification emails every day to user email addresses hosted across millions of domain names.

"We found that 76 percent of unique MX hostnames [email server hostnames] that receive our emails support STARTTLS," the Facebook researchers said Tuesday in a blog post. "As a result, 58 percent of notification emails are successfully encrypted."

SSL certificates are successfully validated for around half of encrypted email traffic and the other half is "opportunistically encrypted," the researchers said.

By opportunistic encryption Facebook refers to encrypted connections that are established despite the SSL certificate presented by the server not passing strict validation criteria. This can happen if the certificate is not signed by a trusted certificate authority, is expired or was not issued for the host name where it was used.

The Facebook researchers found that for over 99 percent of emails that were encrypted using opportunistic encryption the reason for certificate validation failures was a hostname mismatch, the certificates being otherwise acceptable.

Seventy-four percent of MX hosts that supported STARTTLS provided perfect forward secrecy (PFS), a property of some TLS cipher suites that prevents the decryption of previously captured traffic if the server's private key is later compromised.

The majority of email traffic sent by Facebook to servers with STARTTLS support was encrypted with the ECDHE-RSA-RC4-SHA and DHE-RSA-AES256-SHA cipher suites, but that was probably the result of those suites being preferred by the major email providers. When counted by unique deployments, the majority of servers used DHE-RSA-AES128-SHA.

The second most prevalent cipher suite by unique server IP addresses was AES128-SHA, which is concerning because it does not provide perfect forward secrecy, the Facebook researchers said.

PFS has become an increasingly recommended feature for TLS deployments, amid growing concerns over the past year of widespread Internet surveillance by intelligence agencies like the U.S. National Security Agency and the U.K.'s Government Communications Headquarters.

The analysis carried out by the Facebook researchers shows that STARTTLS is already widely supported by email servers, even though there are certificate management issues that could be resolved.

"We see two high priority areas for improvement," the Facebook researchers said. "First, we encourage the industry to work together to develop better tools for preventing mismatched certificates. Second, we encourage everyone to deploy support for opportunistic encryption via STARTTLS."

"A system deploying STARTTLS support for the first time can expect more than half of its outbound email to be encrypted," they said.

Join the PC World newsletter!

Error: Please check your email address.

Tags online safetysecurityencryptiondata protectionprivacypkiFacebook

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?