For the past few years, EFF has been working on promoting the universal use of encryption for Internet protocols. We started by pushing major sites to switch from HTTP to HTTPS, and gave individual users ways to pull things along.
Last November, we launched our Encrypt the Web Scorecard, which in addition to Web encryption, added a second focus on securing SMTP email transmissions between mailservers. We believe this is a vital protection against non-targeted dragnet surveillance by the US andother governments. In the months after we started rating their support for STARTTLS email encryption, a number of major sites including Yahoo!, Twitter, LinkedIn and Facebook deployed this form of backbone email encryption. Microsoft’s deployments is in progress. We believe that most or all of these companies made these changes in response to EFF’s Encrypt the Web report.
Today, Google, which led the email ecosystem with early adoption of STARTTLS and HTTPS, has published its own datasets on the amount of email that is encrypted in transit between Gmail and other email providers. This data shows that (averaging Google’s inbound and outbound numbers) backbone encryption has risen from 33% to 58% since December last year.1 A Facebook snapshot from two weeks ago shows a similar story. But there is also more work to do. More mail operators need to implement STARTTLS, and some of those that already support STARTTLS need to upgrade their servers to support modern ciphers and forward secrecy.
If your organization runs a mail server, make sure STARTTLS is enabled and check that it is configured correctly today.
- 1.If you’d like to calculate inbound encryption percentages for your own email domain, we have a rough draft scriptfor doing this based on the headers in your historical email archives. It still a work in progress, so pull requests are welcome!
Via EFF with permission.