Latest in Security

Image credit: EFF

The EFF wants to make email servers more secure

STARTTLS Everywhere is like Let's Encrypt for email servers.
169 Shares
Share
Tweet
Share

Sponsored Links

EFF

The Electronic Frontier Foundation (EFF) launched HTTPS-encryption initiative Let's Encrypt two years ago with Mozilla and Cisco. Now it's turning its attention to email servers with a new project called STARTTLS Everywhere, which aims to help server admins run STARTTLS emails servers properly. Because according to the EFF, most aren't.

STARTTLS is an extension of the SMTP email-sending protocol, which turns insecure connections into secure ones with SSL certificates. In a nutshell, it sets up a communications channel between two email servers, which encrypts an email on sending, and then decrypts it on arrival, ensuring the email can't be read by other third-party servers.

Now, STARTTLS -- and the SMTP standard extension -- has been around since 1999, so it's nothing new. According to Google's latest Email Transparency Report, it's now operational on 89 percent of all online email servers. The problem, according to the EFF, is that it's often configured incorrectly.

As noted on an EFF blog post, "although many mail servers enable STARTTLS, most still not do validate certificates". This means an active attacker on the network can "get between two servers and impersonate one or both, allowing that attacker to read and even modify emails sent through your supposedly 'secure' connection. Since it's not common practice for emails servers to validate certificates, there's often little incentive to present valid certificates in the first place."

As the EFF says, the email ecosystem is stuck in a sort of chicken-and-egg dilemma. "No one validates certificates because the other party often doesn't have a valid one, and the long tail of mail servers continue to use invalid certificates because no one is validating them anyway," the blog post continues.

This is where STARTTLS Everywhere should be able to help. It provides software that system admins can run on an email server to automatically get a valid certificate from Let's Encrypt. This software can also configure their email server software so that it uses STARTTLS, and presents the valid certificate to other email servers.

It also includes a "preload list" of email servers that have promised to support STARTTLS, which can help detect downgrade attacks. According to the blog post, this means "more secure email, and less mass surveillance." Mail server admins can read a technical deep dive on setting up STARTTLS on the STARTTLS Everywhere website, now.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
169 Shares
Share
Tweet
Share

Popular on Engadget

Netflix's 'Cowboy Bebop' production pauses after John Cho is injured on-set

Netflix's 'Cowboy Bebop' production pauses after John Cho is injured on-set

View
Nike puts an accessibility twist on its iconic Air Jordan 1

Nike puts an accessibility twist on its iconic Air Jordan 1

View
Alphabet’s Wing starts drone deliveries to US homes

Alphabet’s Wing starts drone deliveries to US homes

View
Boeing messages hint staff may have misled FAA about 737 Max

Boeing messages hint staff may have misled FAA about 737 Max

View
Judge refuses to block the release of ‘The Laundromat’ on Netflix

Judge refuses to block the release of ‘The Laundromat’ on Netflix

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr