One year on from the revelations about the NSA’s surveillance programmes, the tech industry has united in an effort to strengthen email privacy and keep governments and cyber criminals out of the inbox. Fighting against the surveillance of online communications is no longer an overstated marketing claim, but a serious issue for companies which are beefing up email encryption to take back privacy online.
This particular focus on email encryption is right and it’s encouraging to see the industry working collectively to raise awareness of the issue and taking steps to encrypt email communications more effectively.
Recently, Google announced plans to launch a Chrome plug-in which will enable PGP style end-to-end encryption for Gmail. Comcast announced that it, too, would begin scrambling its customers’ emails. However, Transport Layer Security (TLS) encryption only works if the recipients’ mail servers are also configured to support it. If it is to work, it needs mainstream adoption. AOL, Gmail and Hotmail are mainstream mailbox providers that correctly and comprehensively implement TLS for mail sent to their users.
But what about the rest of the mail exchangers on the Internet? On 10th May, My company investigated by attempting an SMTP connection to the mail exchangers for roughly 8 million domains that we regularly deliver email to.
Those 8 million domains presented 3.4 million unique mail exchangers, 2,614,380 (76%) of which claimed to support TLS. We attempted to connect to all of them, and failed to successfully negotiate a trusted TLS connection with 223,800 of them (8.5%). 96% of these failed TLS connections occurred due to certificate name mismatches (65%), hosts signed to unknown authorities (22%) or hosts presenting expired certificates (9%).
Google has also contributed to raising awareness of this risk by adding a new section to its Transparency Report. It found that approximately 40 to 50 percent of emails sent between Gmail and other email providers aren’t encrypted. Facebook undertook research which demonstrates that 76% of hostnames that receive Facebook notifications support TLS, resulting in a 58% encryption success rate for notification emails.
Recent research projects show that there is still a significant surveillance risk due to mailbox providers not properly supporting TLS. While senders like AOL, Google, Hotmail and Yahoo have activated TLS encryption, emails will only be shielded from snooping once all email exchanges fully support it. The data shows that we still have a way to go.
Taking back privacy through email encryption starts with transparency on TLS standards. SendGrid, Google, Facebook and the Electronic Frontier Foundation have all already made significant contributions to public awareness of security and email encryption, which has, in turn, delivered results in the form of mail operators upgrading their encryption.
Google’s Transparency Report called out Comcast for not using encryption and this solicited a response from the telecoms giant promising to strengthen its email encryption measures. Hotmail, the last of the four major mailbox providers to support TLS, added support just days before the June 5 “Reset the Net” campaign.
In the months following the initial publication of the EFF’s Encrypt the Web Scorecard to flag web and mail-servers that don’t support TLS encryption, a number of sites including Yahoo!, Twitter, LinkedIn and Facebook deployed TLS email encryption.
A better approach to email encryption transparency has delivered good results so far. It’s up to Google, the EFF, and other tech companies to continue highlighting areas of weakness in email encryption to boost security on the web. This will lead to more mail operators implementing TLS and configuring their servers to support modern ciphers and forward secrecy while presenting valid certificates. This focus on transparency, combined with collaboration in the industry to ensure that all exchanges support email encryption, will emerge as one of the fundamental pillars of the free and open Web.