As Naked Security reported recently, the Electronic Frontier Foundation (EFF) has a new plan to curb e-mail snooping. The post begins by describing the efforts of Let's Encrypt, a non-profit project that's supported and sponsored by a number of high-profile internet companies and other non-profits.
The project is best known for helping websites make the switch to secure HTTP, better known as HTTPS, the protocol that puts the padlock in your browser. HTTPS, simply put, is regular HTTP transmitted by means of an underlying network protocol known as Transport Layer Security, commonly known by the abbreviation TLS.
You need a TLS security certificate, and a trusted third-party needs to sign it. Let's Encrypt not only made the process simpler but also waived the fees for issuing signed security certificates, resulting in a huge decrease in the number of websites that refused to bother with HTTPS at all.
The new question is - what about e-mail encryption? Can folks eavesdrop on your e-mail?
The good news is that if you use one of the major webmail services, and send e-mail to another major webmail user, your e-mails are almost certainly encrypted and safe in transit. But plenty of non-webmail servers still aren't bothering with server-to-server mail encryption, or are encrypting in a sub-standard way.
So the EFF, one of the groups behind the Let's Encrypt project, has announced a related effort called STARTTLS Everywhere for the world's e-mail ecosystem. The word STARTTLS comes from the command used in the SMTP email protocol to switch into encrypted mode, and the STARTTLS Everywhere project aims to get everyone not only to use STARTTLS, but also to use it properly.
Read the post to see the ongoing problems and how the EFF proposes to help solve them. In part, the EFF will extend the Let's Encrypt system so that e-mail administrators can quickly and easily add TLS support for free. One dicey problem is that there is no downgrade protection. Unlike HTTPS connections from your browser, which start out using TLS and then talk HTTP over the secure-from-the-outset channel, e-mail connections start out unencrypted and "upgrade" themselves to TLS later on after the STARTTLS command is used. An eavesdropper who can alter the unencrypted part of a mail connection can therefore strip out the STARTTLS commands, sneakily turning a connection that was supposed to be encrypted into one that can be snooped on. Not a good thing.
One possible solution is a draft Internet standard called MTA-STS, proposed by experts from Microsoft, Google, Yahoo! and Comcast. MTA-STS allows a mail server to use an HTTPS connection – because secure HTTP is something we already know how to do well – to declare its preference for using e-mail encryption, and thereby to prevent a downgrade attack.
EFF is also helping out by hosting its own database called the STARTTLS Policy List, hosted on its own secure servers, that keeps track of e-mail systems that meet minimum standards for SMTP encryption.
I find myself continually applauding the good work of the EFF. Once again, bravo!
Hat tip to Dave Ries.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology