The Electronic Frontier Foundation (EFF) is looking to address an ongoing problem with the long-standing STARTTLS email security extension through an initiative it calls STARTTLS Everywhere. STARTTLS is effectively an add-on to the standard STMP email protocol which ensures those messages are sent over an encrypted channel. That's not end-to-end encryption but does provide some security as the email is being sent from server to server. However, the servers aren't always configured to validate certificates or provide valid certificates associated with the baseline security measure properly. As a result, emails are sent with invalid certificates and received regardless of invalid certificates, leaving emails completely unprotected against interception from a slew of bad actors or governing agencies. Other times, correctly configured certificates fall victim to a "downgrade" attack which effectively stops the receiving server from realizing that it needs to be sent over encrypted channels and negotiating a secured exchange. EFF's STARTTLS Everywhere is hoping to address all of those issues at once.
STARTTLS Everywhere is a software solution meant to be run by tech industry employees such as mailserver admins behind the scenes to automate the process of ensuring emails on a given server automatically receive a valid certificate from EFFs Let's Encrypt service. Furthermore, it also automates the configuration of email server software to ensure that it is using STARTTLS and presenting valid certificates to other email servers. Meanwhile, the software includes a "preload list" of servers that have promised to support the encryption protocol, which EFF says will enable easier detection of the above-mentioned downgrade attacks. Since the software effectively automates most of the solution addressing poor implementation of STARTTLS, the organization hopes that it will see widespread use. That, in turn, should result in further spreading of STARTTLS Everywhere and better security across the board.
In the meantime, the site containing the solution has a secondary tool meant for the more general userbase. By entering in their email address' domain name – for example, "@gmail.com" for Google's email service – visitors to the site will be provided with a status update letting them know whether or not their messages are secured. Although a direct fix will still depend on the administrators responsible for email servers, that will at least provide some feedback about whether or not their email service can be trusted.