Close to All Facebook Outbound Notification Emails Encrypted

Facebook Transparency Report

Facebook published numbers today that demonstrate the pervasiveness of encryption on the web; the social network said 95 percent of its notification emails are encrypted with Perfect Forward Secrecy, up from 29 percent in May.

All that’s missing from the organic encrypt the web movement seems to be a hashtag. Otherwise, no one can accuse major web providers of slacking as leading players such as Microsoft and Yahoo, prompted by the Snowden leaks, have made noteworthy leaps in the last 15 months to encrypt everything from keywords to data center links to email services.

Facebook today published numbers that show just how pervasive encryption is becoming on the web. After a plea in May for others to start supporting STARTTLS, the social network said today that 95 percent of the transport of its outbound notification emails were successfully encrypted with both Perfect Forward Secrecy and certification validation in place.

“Since STARTTLS encryption requires both sides to deploy it, we encouraged others to take the next step,” said Michael Adkins, a mail integrity engineer at Facebook.

Facebook reported three months ago that only 28.6 percent of its outbound notifications were encrypted and passed certification validation. The skyrocketing numbers, Adkins said, are due in large part to actions on behalf of providers such as Yahoo and Microsoft.

Since July 1, both have announced either enhancements to existing encryption efforts, or initiatives to continue building on what’s already in place. Microsoft, for example, announced that Outlook.com supported TLS encryption on inbound and outbound messages, as well as Perfect Forward Secrecy. Microsoft also enabled Perfect Forward Secrecy on its OneDrive cloud-based storage platform.

Perfect Forward Secrecy, along with HSTS and TLS, is starting to be considered a minimum standard for new applications. Google, Yahoo, Microsoft and others moved quickly during the last 15 months of Snowden revelations to fight perceptions and intimations they were somehow complicit with government surveillance efforts. The surge in encryption deployments removes even a notion of tacit complicity.

“Forward secrecy uses a different encryption key for every connection, making it more difficult for attackers to decrypt connections,” said Microsoft vice president, Trustworthy Computing, Matt Thomlinson in July. “As with Outlook.com’s email transfer, this makes it more difficult for attackers to decrypt connections between their systems and OneDrive.”

Yahoo, meanwhile, was long considered an encryption laggard. Its turnaround began in January when it announced it was turning on SSL by default for Yahoo Mail. Within four months, new CISO Alex Stamos announced Yahoo was encrypting traffic moving between its data centers, a key point where the NSA and the U.K.’s GCHQ are accused of placing taps and vacuuming up user data for surveillance.

At the recent Black Hat conference in Las Vegas, Stamos said Yahoo would enable end to end encryption for all of its Mail users by the end of the year and that it was partnering with Google, using a Google browser plug-in that enables end to end encryption of data leaving the browser.

Facebook said strict encryption has jumped to 95 percent of its notification email messages to users, while opportunistic encryption has plummeted to close to zero. In May, Facebook reported that strict validation, or completely successful TLS negotiations, happened in 30 percent of cases, while in another 28 percent, opportunistic encryption happened where a TLS cipher suite was negotiated, but the certificate did not pass strict validation.

Adkins said that Facebook isn’t satisfied with 95 percent.

“In addition to thanking these service providers for implementing best practices and allowing stronger encryption to take hold, we’d like to encourage any remaining providers to deploy STARTTLS as soon as possible,” Adkins said.

This story was updated Aug. 21 to clarify that outbound notification emails are encrypted.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.