The Electronic Frontier Foundation (EFF) announced a new project named STARTTLS Everywhere that aims to provide guidance to server administrators on how to set up a proper email server that runs STARTTLS the correct way.
STARTTLS Everywhere is eerily similar to Let's Encrypt, another pro-encryption initiative the EFF launched together with Mozilla and Cisco two years ago.
But this initiative aims to bring encrypted communications to email servers, instead of web servers (Let's Encrypt's purpose).
As its name hints, STARTTLS Everywhere targets STARTTLS. This is an extension of the SMTP email-sending protocol that takes an existing insecure connection and upgrades it to a secure connection using SSL certificates.
STARTTLS works by allowing two email servers that want to send/receive an email to exchange certificates and set up an encrypted communications channel between the two. Once the encrypted channel is secured, the sending server transmits the email in an encrypted form, which is then decrypted on arrival.
This ensures that the email cannot be read by other third-party observers (servers through which the email travels), and only the sender and recipient can view the email's content.
STARTTLS is not new by any stretch of the imagination. The SMTP standard extension was approved in 1999, and according to Google's latest Email Transparency Report, it's already deployed on 89% of all email servers currently online.
But despite its huge reach, EFF experts say STARTTLS is often misconfigured.
"Although many mailservers enable STARTTLS, most still do not validate certificates," EFF experts say.
What this means is that anyone can interpose himself between two email servers and use an invalid certificate to pose as the recipient or sender, as most email servers fail to verify the provided certificate's authenticity.
Furthermore, due to a lapse in STARTTLS' design, STARTTLS-encrypted email communication channels can be downgraded to sending the email message in cleartext, instead of an encrypted form.
This "feature" was designed for situations where one server does not support STARTTLS, but during the past few years, security researchers and privacy advocates have often spotted ISPs in various countries intentionally downgrading STARTTLS to cleartext for various purposes that range from state-wide surveillance to user tracking and advertising [1, 2].
The EFF says this is where its latest project, STARTTLS Everywhere, will be able to help.
"STARTTLS Everywhere provides software that a sysadmin can run on an email server to automatically get a valid certificate from Let’s Encrypt," the EFF says. "This software can also configure their email server software so that it uses STARTTLS, and presents the valid certificate to other email servers."
"Finally, STARTTLS Everywhere includes a 'preload list' of email servers that have promised to support STARTTLS, which can help detect downgrade attacks. The net result: more secure email, and less mass surveillance."
Details on how to properly set up STARTTLS on email servers, along with details on how to get an email server to run the EFF's STARTTLS "preload list" and how to get your own sites on the list are available on the STARTTLS Everywhere website that launched yesterday.