Menu
Facebook encourages email providers to deploy STARTTLS encryption

Facebook encourages email providers to deploy STARTTLS encryption

As more email servers support encryption the value increases for everyone, researchers from Facebook said

Facebook is pushing for more email providers to use STARTTLS, a technology that encrypts emails as they pass between servers and clients, after an analysis showed that any SMTP (Simple Mail Transfer Protocol) server that adds the feature now would start encrypting over half of its outbound email traffic.

STARTTLS is an extension for several communication protocols, including IMAP and POP3, SMTP, FTP and XMPP and allows a plain text connection to be upgraded to an encrypted one using the TLS (Transport Layer Security) or SSL (Secure Sockets Layer) protocols.

Researchers at Facebook recently analyzed a day's worth of the company's email logs to determine how widely STARTTLS is deployed among email servers around the world. The company is in a good position to run such a test because it sends several billion notification emails every day to user email addresses hosted across millions of domain names.

"We found that 76 percent of unique MX hostnames [email server hostnames] that receive our emails support STARTTLS," the Facebook researchers said Tuesday in a blog post. "As a result, 58 percent of notification emails are successfully encrypted."

SSL certificates are successfully validated for around half of encrypted email traffic and the other half is "opportunistically encrypted," the researchers said.

By opportunistic encryption Facebook refers to encrypted connections that are established despite the SSL certificate presented by the server not passing strict validation criteria. This can happen if the certificate is not signed by a trusted certificate authority, is expired or was not issued for the host name where it was used.

The Facebook researchers found that for over 99 percent of emails that were encrypted using opportunistic encryption the reason for certificate validation failures was a hostname mismatch, the certificates being otherwise acceptable.

Seventy-four percent of MX hosts that supported STARTTLS provided perfect forward secrecy (PFS), a property of some TLS cipher suites that prevents the decryption of previously captured traffic if the server's private key is later compromised.

The majority of email traffic sent by Facebook to servers with STARTTLS support was encrypted with the ECDHE-RSA-RC4-SHA and DHE-RSA-AES256-SHA cipher suites, but that was probably the result of those suites being preferred by the major email providers. When counted by unique deployments, the majority of servers used DHE-RSA-AES128-SHA.

The second most prevalent cipher suite by unique server IP addresses was AES128-SHA, which is concerning because it does not provide perfect forward secrecy, the Facebook researchers said.

PFS has become an increasingly recommended feature for TLS deployments, amid growing concerns over the past year of widespread Internet surveillance by intelligence agencies like the U.S. National Security Agency and the U.K.'s Government Communications Headquarters.

The analysis carried out by the Facebook researchers shows that STARTTLS is already widely supported by email servers, even though there are certificate management issues that could be resolved.

"We see two high priority areas for improvement," the Facebook researchers said. "First, we encourage the industry to work together to develop better tools for preventing mismatched certificates. Second, we encourage everyone to deploy support for opportunistic encryption via STARTTLS."

"A system deploying STARTTLS support for the first time can expect more than half of its outbound email to be encrypted," they said.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags online safetysecurityencryptiondata protectionprivacypkiFacebook

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments