Latest in Security

Image credit: EFF

The EFF wants to make email servers more secure

STARTTLS Everywhere is like Let's Encrypt for email servers.
169 Shares
Share
Tweet
Share
Save

Sponsored Links

EFF

The Electronic Frontier Foundation (EFF) launched HTTPS-encryption initiative Let's Encrypt two years ago with Mozilla and Cisco. Now it's turning its attention to email servers with a new project called STARTTLS Everywhere, which aims to help server admins run STARTTLS emails servers properly. Because according to the EFF, most aren't.

STARTTLS is an extension of the SMTP email-sending protocol, which turns insecure connections into secure ones with SSL certificates. In a nutshell, it sets up a communications channel between two email servers, which encrypts an email on sending, and then decrypts it on arrival, ensuring the email can't be read by other third-party servers.

Now, STARTTLS -- and the SMTP standard extension -- has been around since 1999, so it's nothing new. According to Google's latest Email Transparency Report, it's now operational on 89 percent of all online email servers. The problem, according to the EFF, is that it's often configured incorrectly.

As noted on an EFF blog post, "although many mail servers enable STARTTLS, most still not do validate certificates". This means an active attacker on the network can "get between two servers and impersonate one or both, allowing that attacker to read and even modify emails sent through your supposedly 'secure' connection. Since it's not common practice for emails servers to validate certificates, there's often little incentive to present valid certificates in the first place."

As the EFF says, the email ecosystem is stuck in a sort of chicken-and-egg dilemma. "No one validates certificates because the other party often doesn't have a valid one, and the long tail of mail servers continue to use invalid certificates because no one is validating them anyway," the blog post continues.

This is where STARTTLS Everywhere should be able to help. It provides software that system admins can run on an email server to automatically get a valid certificate from Let's Encrypt. This software can also configure their email server software so that it uses STARTTLS, and presents the valid certificate to other email servers.

It also includes a "preload list" of email servers that have promised to support STARTTLS, which can help detect downgrade attacks. According to the blog post, this means "more secure email, and less mass surveillance." Mail server admins can read a technical deep dive on setting up STARTTLS on the STARTTLS Everywhere website, now.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
169 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
Google Chrome now offers better theme customization and tab grouping

Google Chrome now offers better theme customization and tab grouping

View
Leaked screenshots show how Apple's tracker tags might work

Leaked screenshots show how Apple's tracker tags might work

View
Tesla targets Nürburgring EV record next month

Tesla targets Nürburgring EV record next month

View
Mark Zuckerberg visited Donald Trump at the White House

Mark Zuckerberg visited Donald Trump at the White House

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr