Announcing STARTTLS Everywhere: Securing Hop-to-Hop Email Delivery
Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.
Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.
Note that this is a high-level, general post about STARTTLS Everywhere. If you’d like a deeper dive intended for mailserver admins, with all the technical details and caveats, click here.
It’s important to note that STARTTLS Everywhere is designed to be run by mailserver admins, not regular users. No matter your role, you can join in the STARTTLS fun and find out how secure your current email provider is at:
Enter your email domain (the part of your email address after the “@” symbol), and we’ll check if your email provider has configured their server to use STARTTLS, whether or not they use a valid certificate, and whether or not they’re on the STARTTLS Preload List—all different indications of how secure (or vulnerable) your email provider is to mass surveillance.
Wait, Email Is Vulnerable to Mass Surveillance?
Email relies on something called the Simple Mail Transfer Protocol, or SMTP. SMTP is the technical language email servers use to communicate with each other. It was one of the very first application protocols developed for the Internet. It’s even older than HTTP, the protocol your browser uses to talk to webservers when you want to load a website!
Just like HTTP, SMTP was not developed with encryption or authentication in mind, as the trust model on the Internet today is starkly different from what it was in the 70s. Like regular old snail mail, senders can write whatever they want in the "From:" field, or even choose to omit it. And in the same way your post office or your postal carrier can read what you write on a postcard, machines responsible for delivering emails can read their contents, as can anyone who’s watching the traffic they send and receive. But unlike regular mail, the cost of sending emails, spoofing emails, collecting copies of emails, and altering emails in-transit is extremely low.
That means that without encryption, government agencies that perform mass surveillance, like the NSA, can easily sweep up and read everyone’s emails—no hacking or breaking encryption necessary.
So What Is STARTTLS?
STARTTLS is an addition to SMTP, which allows one email server to say to the other, “I want to deliver this email to you over an encrypted communications channel.” The recipient email server can then say “Sure! Let’s negotiate an encrypted communications channel.” The two servers then set up the channel and the email is delivered securely, so that anybody listening in on their traffic only sees encrypted data. In other words, network observers gobbling up worldwide information from Internet backbone access points (like the NSA or other governments) won't be able to see the contents of messages while they’re in transit, and will need to use more targeted, low-volume methods.
It’s important to note that if you don’t trust your mail provider and don’t want them to be able to read your emails, STARTTLS isn’t enough. That’s because STARTTLS only provides hop-to-hop encryption, not end-to-end. For example, if a Gmail user sends email to an EFF staffer, the operators of the Google and EFF mailservers can read and copy the contents of that email even if STARTTLS is negotiated perfectly. STARTTLS only encrypts the communications channel between the Google and EFF servers so that an outside party can’t see what the two say to each other—it doesn’t affect what the two servers themselves can see.
Thus, STARTTLS is not a replacement for secure end-to-end solutions. Instead, STARTTLS allows email service providers and administrators to provide a baseline measure of security against outside adversaries.
Great! So if STARTTLS Exists Everything’s Fine, Right?
Unfortunately, STARTTLS has some problems. Although many mailservers enable STARTTLS, most still do not validate certificates. Just like in HTTPS, certificates are what a server uses to prove it really is who it says it is. Without certificate validation, an active attacker on the network can get between two servers and impersonate one or both, allowing that attacker to read and even modify emails sent through your supposedly “secure” connection. Since it’s not common practice for emails servers to validate certificates, there’s often little incentive to present valid certificates in the first place.
As a result, the ecosystem is stuck in a sort of chicken-and-egg problem: no one validates certificates because the other party often doesn’t have a valid one, and the long tail of mailservers continue to use invalid certificates because no one is validating them anyway.
Additionally, even if you configure STARTTLS perfectly and use a valid certificate, there’s still no guarantee your communication will be encrypted. That’s because when a sending email server says, “I want to deliver this email to you over an encrypted communications channel,” that message is unencrypted. This means network attackers can jump in and block that part of the message, so that the recipient server never sees it. As a result, both servers think the other doesn’t support STARTTLS. This is known as a “downgrade attack,” and ISPs in the U.S. and abroad have been caught doing exactly this. In fact, in 2014 several researchers found that STARTTLS encryption on outbound email from several countries was being regularly stripped.
STARTTLS Everywhere to the Rescue!
That’s where STARTTLS Everywhere comes in.
STARTTLS Everywhere provides software that a sysadmin can run on an email server to automatically get a valid certificate from Let’s Encrypt. This software can also configure their email server software so that it uses STARTTLS, and presents the valid certificate to other email servers. Finally, STARTTLS Everywhere includes a “preload list” of email servers that have promised to support STARTTLS, which can help detect downgrade attacks. The net result: more secure email, and less mass surveillance.
If you appreciate the work we’ve done on STARTTLS Everywhere, you can also donate to EFF! Your contribution will help further the development of projects like STARTTLS Everywhere that help raise everyone’s level of security.
With all that we have accomplished together to improve the state of encrypted communications on the Internet, it’s about time we focus on upgrading email, the backbone of communication for a large part of the world. STARTTLS Everywhere is a natural step in that direction, but there’s still plenty of work to do, so let’s get hopping on hop-to-hop encryption!