[Cryptography] Facebook on the state of STARTTLS
Viktor Dukhovni
cryptography at dukhovni.org
Mon May 19 00:47:20 EDT 2014
On Mon, May 19, 2014 at 12:35:51AM -0400, Eric Mill wrote:
> https://www.facebook.com/notes/protect-the-graph/the-current-state-of-smtp-starttls-deployment/1453015901605223
>
> "We found that 76% of unique MX hostnames that receive our emails support
> STARTTLS. As a result, 58% of notification emails are successfully
> encrypted. Additionally, certificate validation passes for about half of
> the encrypted email, and the other half is opportunistically encrypted. 74%
> of hosts that support STARTTLS also provide Perfect Forward Secrecy.
>
> It's clear to us that STARTTLS has achieved critical mass and there is
> immediate value in deploying it. We encourage anyone who has not already
> deployed STARTTLS to at least deploy it for opportunistic encryption. As
> more systems support email encryption, the value increases for everyone."
Indeed, somewhat better than I expected at this juncture, but not
entirely surprising given the current incentives for large providers.
I am pleased they posted the report, and would like to see more
reports like this going forward. I am somewhat disappointed it
appears to support the fallacy that somehow PKIX authentication is
applicable to SMTP and thus aplauds the fact that some SMTP servers
throw away money on public CA signed certificates, when opportunistic
TLS, or no TLS is required in their absense, and even their presence
cannot usefully preclude active attacks.
The misconception that TLS for SMTP is rather like TLS for HTTP is
sadly still rather prevalent.
--
Viktor.
More information about the cryptography
mailing list