“More secure email, and less mass surveillance”

Riding on the coattails of the highly overhyped Efail bug, the Electronic Frontier Foundation (EFF) has launched a new project aimed at enhancing universal email security with encryption.

Intended to improve mail delivery – now reliant on the limitedly protected SMTP (Simple Mail Transfer Protocol) – STARTTLS Everywhere is software running on an email server that automatically receives digital certificates from the privacy-focused authority Let’s Encrypt.

STARTTLS had previously been released by EFF in order to assist mail providers with implementing basic security by default settings – a hop-to-hop encryption which meant that email traffic would be safe from prying eyes, but servers could still read the communication.

While a Google Email Transparency Report points to an 89% use of STARTTLS encryption standards, problems arose with implementing it properly – mail servers were not checking certificates and thus leaving networks open to downgrade attacks.

Making an announcement in a blog post earlier this week, EFF said: “Although many mail servers enable STARTTLS, most still do not validate certificates. Just like in HTTPS, certificates are what a server uses to prove it really is who it says it is.

“Without certificate validation, an active attacker on the network can get between two servers and impersonate one or both, allowing that attacker to read and even modify emails sent through your supposedly ‘secure’ connection.

“Since it’s not common practice for emails servers to validate certificates, there’s often little incentive to present valid certificates in the first place.”

STARTTLS Everywhere intends to fix these problems, additionally providing a list of those mail servers which support the initiative, anticipating that this will help detect future attacks on emails in transit. Domains such as Gmail, Yahoo, and Outlook have already signed up.

“The net result: more secure email, and less mass surveillance,” EFF said.

EFF has created a tool to check how secure email providers are available here.