HANOVER, GERMANY - MARCH 05:  Workers prepare a presentation of advanced e-mail at the Deutsche Telekom stand the day before the CeBIT 2012 technology trade fair officially opens to the public on March 5, 2012 in Hanover, Germany. CeBIT 2012, the world's largest information technology trade fair, will run from March 6-10, and advances in cloud computing are a major feature this year.  (Photo by Sean Gallup/Getty Images)

Google, Microsoft Behind STARTTLS Proposal to Make Email More Secure

Add Your Comments

Engineers from companies including Google and Microsoft submitted a proposal to the Internet Engineering Task Force on Friday designed to improve the security of STARTTLS – an extension to the Simple Mail Transfer Protocol (SMTP) designed to establish secure SMTP sessions over TLS.

STARTTLS was invented a few years ago as a way to “take an insecure connection and upgrade it to a secure connection using TLS,” according to FastMail.

The proposal notes that in its current form, STARTTLS has some issues, namely it fails to provide message confidentiality “because opportunistic STARTTLS is subject to downgrade attacks” and server authenticity, “because the trust from email domain to the MTA (Mail Transfer Agent) server identity is not cryptographically validated.”

Read more: As STARTTLS Adoption Grows, Facebook Reports Huge Jump in Encrypted Notification Emails

In October, a report found that despite the increasing use of STARTTLS, “widespread corruption” prevents it from working as intended. For example, STARTTLS is designed to fail open rather than fail closed, which means that when certain errors happen, servers send the email in an unencrypted form rather than failing to send the message at all, Ars Technica reports.

According to a report by ZDNet, one of the measures in the proposal is the ability to stop delivering a message if it can’t be delivered securely, which is possible through SMTP STST policy records that allow a sending service to check a recipient’s policy prior to sending an email.

The draft expires Sept. 19, 2016.

Newsletters

Subscribe Now and Get Our Exclusive Report on "The Hosting Infrastructure Ecosystem"

Enter your email to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.

Related Forum Threads

About the Author

Nicole Henderson is the Editor in Chief of the WHIR, where she covers daily news and features online. She has a bachelor of journalism from Ryerson University in Toronto. You can find her on Twitter @NicoleHenderson.

Add Your Comments

  • (will not be published)