All that’s missing from the organic encrypt the web movement seems to be a hashtag. Otherwise, no one can accuse major web providers of slacking as leading players such as Microsoft and Yahoo, prompted by the Snowden leaks, have made noteworthy leaps in the last 15 months to encrypt everything from keywords to data center links to email services.

Facebook today published numbers that show just how pervasive encryption is becoming on the web. After a plea in May for others to start supporting STARTTLS, the social network said today that 95 percent of the transport of its outbound notification emails were successfully encrypted with both Perfect Forward Secrecy and certification validation in place.

“Since STARTTLS encryption requires both sides to deploy it, we encouraged others to take the next step,” said Michael Adkins, a mail integrity engineer at Facebook.

Facebook reported three months ago that only 28.6 percent of its outbound notifications were encrypted and passed certification validation. The skyrocketing numbers, Adkins said, are due in large part to actions on behalf of providers such as Yahoo and Microsoft.

Since July 1, both have announced either enhancements to existing encryption efforts, or initiatives to continue building on what’s already in place. Microsoft, for example, announced that Outlook.com supported TLS encryption on inbound and outbound messages, as well as Perfect Forward Secrecy. Microsoft also enabled Perfect Forward Secrecy on its OneDrive cloud-based storage platform.

Perfect Forward Secrecy, along with HSTS and TLS, is starting to be considered a minimum standard for new applications. Google, Yahoo, Microsoft and others moved quickly during the last 15 months of Snowden revelations to fight perceptions and intimations they were somehow complicit with government surveillance efforts. The surge in encryption deployments removes even a notion of tacit complicity.

“Forward secrecy uses a different encryption key for every connection, making it more difficult for attackers to decrypt connections,” said Microsoft vice president, Trustworthy Computing, Matt Thomlinson in July. “As with Outlook.com’s email transfer, this makes it more difficult for attackers to decrypt connections between their systems and OneDrive.”

Yahoo, meanwhile, was long considered an encryption laggard. Its turnaround began in January when it announced it was turning on SSL by default for Yahoo Mail. Within four months, new CISO Alex Stamos announced Yahoo was encrypting traffic moving between its data centers, a key point where the NSA and the U.K.’s GCHQ are accused of placing taps and vacuuming up user data for surveillance.

At the recent Black Hat conference in Las Vegas, Stamos said Yahoo would enable end to end encryption for all of its Mail users by the end of the year and that it was partnering with Google, using a Google browser plug-in that enables end to end encryption of data leaving the browser.

Facebook said strict encryption has jumped to 95 percent of its notification email messages to users, while opportunistic encryption has plummeted to close to zero. In May, Facebook reported that strict validation, or completely successful TLS negotiations, happened in 30 percent of cases, while in another 28 percent, opportunistic encryption happened where a TLS cipher suite was negotiated, but the certificate did not pass strict validation.

Adkins said that Facebook isn’t satisfied with 95 percent.

“In addition to thanking these service providers for implementing best practices and allowing stronger encryption to take hold, we’d like to encourage any remaining providers to deploy STARTTLS as soon as possible,” Adkins said.

This story was updated Aug. 21 to clarify that outbound notification emails are encrypted.

Categories: Cryptography, Web Security

Comments (3)

  1. Steffen Ullrich
    1

    This is misleading. Only the transport of the emails from facebook to the mail server is encrypted. The mails itself are not encrypted and can be read by the mail provider or anybody who has access to those system. This is no end-to-end security like HTTP but hop-by-hop security. Real mail encryption with end-to-end security would be PGP or S/MIME.

    Reply
    • George
      2

      While I agree with you about only the transport being encrypted, and that the article is misleading, it is still important. Since we know that part of a certain agency’s goals were to read as much traffic in-transit as possible, this helps protect against that. So long as the email providers, themselves, are not rolling over and allowing said agency to tap directly into their databases or internal network. If your concern is government snooping, then, so long as every trunk between your email provider and your recipiants email provider is encrypted, then this makes email a pretty safe bet.

      It does nothing, however, if the government (or criminal element) means to target YOU. They will (via malware usually) get to your computing device, and then no amount of encryption is going to help you. Progress in one area is no reason to rest, but don’t let the perfect be the enemy of the good.

      Reply
  2. Anonymous
    3

    I concur with the Steffen Ullrich and i’m surprised that Threat Post would present this as it did with out explaining it. Kaspersky has some very talented professionals, perhaps the site should rely on them before misrepresenting security issues.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>