The Electronic Frontier Foundation (EFF) launched HTTPS-encryption initiative Let's Encrypt two years ago with Mozilla and Cisco. Now it's turning its attention to email servers with a new project called STARTTLS Everywhere, which aims to help server admins run STARTTLS emails servers properly. Because according to the EFF, most aren't.
STARTTLS is an extension of the SMTP email-sending protocol, which turns insecure connections into secure ones with SSL certificates. In a nutshell, it sets up a communications channel between two email servers, which encrypts an email on sending, and then decrypts it on arrival, ensuring the email can't be read by other third-party servers.
Now, STARTTLS -- and the SMTP standard extension -- has been around since 1999, so it's nothing new. According to Google's latest Email Transparency Report, it's now operational on 89 percent of all online email servers. The problem, according to the EFF, is that it's often configured incorrectly.
As noted on an EFF blog post, "although many mail servers enable STARTTLS, most still not do validate certificates". This means an active attacker on the network can "get between two servers and impersonate one or both, allowing that attacker to read and even modify emails sent through your supposedly 'secure' connection. Since it's not common practice for emails servers to validate certificates, there's often little incentive to present valid certificates in the first place."
As the EFF says, the email ecosystem is stuck in a sort of chicken-and-egg dilemma. "No one validates certificates because the other party often doesn't have a valid one, and the long tail of mail servers continue to use invalid certificates because no one is validating them anyway," the blog post continues.
This is where STARTTLS Everywhere should be able to help. It provides software that system admins can run on an email server to automatically get a valid certificate from Let's Encrypt. This software can also configure their email server software so that it uses STARTTLS, and presents the valid certificate to other email servers.
It also includes a "preload list" of email servers that have promised to support STARTTLS, which can help detect downgrade attacks. According to the blog post, this means "more secure email, and less mass surveillance." Mail server admins can read a technical deep dive on setting up STARTTLS on the STARTTLS Everywhere website, now.