Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

EFF Secures Email Delivery With STARTTLS Everywhere

The Electronic Frontier Foundation (EFF) this week announced STARTTLS Everywhere, a new project aimed at improving the security of email delivery.

The Electronic Frontier Foundation (EFF) this week announced STARTTLS Everywhere, a new project aimed at improving the security of email delivery.

The EFF is already involved in initiatives aimed at encrypting the web, such as the Let’s Encrypt Certificate Authority, and is now determined to advance email encryption in a manner similar to that of browsing.

Designed for mailserver admins, STARTTLS Everywhere provides the software that allows email servers to automatically get a valid certificate from Let’s Encrypt. It also allows admins to configure their email server software to use STARTTLS, and presents the valid certificate to other email servers.

What’s more, STARTTLS Everywhere features a “preload list” of email servers that have promised to support STARTTLS, thus making it easy to detect downgrade attacks.

“The net result: more secure email, and less mass surveillance,” EFF says.

An addition to SMTP, STARTTLS allows email servers to establish encrypted communication channels to one another, thus delivering email messages securely, without exposing data to anyone listening to the network traffic.

Unlike PGP and S/MIME, which deliver end-to-end encryption, STARTTLS only offers hop-to-hop encryption (hops are the computers an email goes through before reaching its destination), which means that mail providers can read emails if no additional protection is in place.

“Thus, STARTTLS is not a replacement for secure end-to-end solutions. Instead, STARTTLS allows email service providers and administrators to provide a baseline measure of security against outside adversaries,” EFF explains.

 Courtesy of various efforts over the past years, effective STARTTLS encryption is as high as 89% at the moment, as per Google’s Email Transparency Report. Five years ago, it was at only 39%.

However, even if many mailservers enable STARTTLS, most still do not validate certificates, which provides attackers with the possibility to impersonate them and access or spoof messages that are sent over secure connections.

“As a result, the ecosystem is stuck in a sort of chicken-and-egg problem: no one validates certificates because the other party often doesn’t have a valid one, and the long tail of mailservers continue to use invalid certificates because no one is validating them anyway,” EFF notes.

What’s more, even if a server has STARTTLS and uses a valid certificate, there is no guarantee the communication will be encrypted, because the initial data exchange between servers isn’t encrypted and attackers can block the establishing of a secure connection. Thus, both servers would believe the other doesn’t support STARTTLS, which results in a downgrade attack.

Without encryption, emails are delivered over the Simple Mail Transfer Protocol, or SMTP, which doesn’t secure messages, but allows anyone on the network to read their contents. Thus, not only is sniffing one’s emails an easy task, but mass surveillance also becomes possible.

With the new initiative, EFF wants to increase adoption of STARTTLS, to increase the number of mailservers that actually validate certificates, and also to prevent downgrade attacks on email services.

For mailserver admins, a technical deep dive into STARTTLS Everywhere is available.

Related: DMARC Not Implemented on Most White House Email Domains: Analysis

Related: Few RSA Conference Exhibitors Implemented DMARC

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...