EFF To Address Ongoing Problem With STARTTLS Email Security

The Electronic Frontier Foundation (EFF) is looking to address an ongoing problem with the long-standing STARTTLS email security extension through an initiative it calls STARTTLS Everywhere. STARTTLS is effectively an add-on to the standard STMP email protocol which ensures those messages are sent over an encrypted channel. That's not end-to-end encryption but does provide some security as the email is being sent from server to server. However, the servers aren't always configured to validate certificates or provide valid certificates associated with the baseline security measure properly. As a result, emails are sent with invalid certificates and received regardless of invalid certificates, leaving emails completely unprotected against interception from a slew of bad actors or governing agencies. Other times, correctly configured certificates fall victim to a "downgrade" attack which effectively stops the receiving server from realizing that it needs to be sent over encrypted channels and negotiating a secured exchange. EFF's STARTTLS Everywhere is hoping to address all of those issues at once.

STARTTLS Everywhere is a software solution meant to be run by tech industry employees such as mailserver admins behind the scenes to automate the process of ensuring emails on a given server automatically receive a valid certificate from EFFs Let’s Encrypt service. Furthermore, it also automates the configuration of email server software to ensure that it is using STARTTLS and presenting valid certificates to other email servers. Meanwhile, the software includes a "preload list" of servers that have promised to support the encryption protocol, which EFF says will enable easier detection of the above-mentioned downgrade attacks. Since the software effectively automates most of the solution addressing poor implementation of STARTTLS, the organization hopes that it will see widespread use. That, in turn, should result in further spreading of STARTTLS Everywhere and better security across the board.

In the meantime, the site containing the solution has a secondary tool meant for the more general userbase. By entering in their email address' domain name - for example, "@gmail.com" for Google's email service - visitors to the site will be provided with a status update letting them know whether or not their messages are secured. Although a direct fix will still depend on the administrators responsible for email servers, that will at least provide some feedback about whether or not their email service can be trusted.

Copyright ©2019 Android Headlines. All Rights Reserved
This post may contain affiliate links. See our privacy policy for more information.
You May Like These
More Like This:
About the Author
2018/10/Daniel-Golightly-2018-New.jpg

Daniel Golightly

Senior Staff Writer
Daniel has been writing for AndroidHeadlines since 2016. As a Senior Staff Writer for the site, Daniel specializes in reviewing a diverse range of technology products and covering topics related to Chrome OS and Chromebooks. Daniel holds a Bachelor’s Degree in Software Engineering and has a background in Writing and Graphics Design that drives his passion for Android, Google products, the science behind the technology, and the direction it's heading. Contact him at [email protected]
Android Headlines We Are Hiring Apply Now