ISPs are stripping encryption from netizens' email – EFF

Chocolate teapot

Some security experts are wary about the effectiveness of STARTTLS in general, arguing that the technology is unworthy of trust in the first place.

Cryptographer and lecturer Matthew Green ‏said: "TLS for SMTP email is such a sad, sorry thing."

Computer scientist Daniel Bernstein added: "Why are we wasting time on "encryption" solutions that are trivially broken by active attackers?"

However, the EFF argues STARTTLS technology has its place and might even be used to enhance more trusted security technologies, such as PGP.

While PGP and S/MIME are end-to-end encryption, STARTTLS is server-to-server. That means that the body of an email protected with, e.g. PGP, can only be read by its intended recipient, while email protected with STARTTLS can be read by the owners of the sending server and the recipient server, plus anyone else who hacks or subpoenas access to those servers.

However, STARTTLS has three big advantages: First, it protects important metadata (subject lines and To:/From/CC: fields) that PGP and S/MIME do not. Second, mail server operators can implement STARTTLS without requiring users to change their behavior at all. And third, a well-configured email server with STARTTLS can provide Forward Secrecy for emails. The two technologies are entirely compatible and reinforce each other. The most secure and private approach is to use PGP or S/MIME with a mail service that uses STARTTLS for server-to-server communication.

The EFF's Hoffman-Andrews acknowledges the shortcomings of the protocol hinted at by Green and others but argues that EFF-backed changes would make the technology more robust.

"There are several weak points in the STARTTLS protocol, however," Hoffman-Andrews writes. "The first weakness is that the flag indicating that a server supports STARTTLS is not itself encrypted, and is therefore subject to tampering, which can prevent that server from establishing an encrypted connection."

"That type of tampering is exactly what we see today. EFF is working on a set of improvements to STARTTLS, called STARTTLS Everywhere, that will make server-to-server encryption more robust by requiring encryption for servers that are already known to support it," he concluded. ®