As STARTTLS Adoption Grows, Facebook Reports Huge Jump in Encrypted Notification Emails

Add Your Comments

Facebook notification emails are encrypted 95 percent of the time with Perfect Forward Secrecy and strict certificate validation, up from less than 30 percent in May of this year. The dramatic improvement is largely due to changes made by major email providers like Microsoft and Yahoo, which have deployed STARTTLS, according to a post by the social network.

In May, Facebook Messaging Integrity Engineer Michael Adkins posted a note on “The Current State of SMTP STARTTLS Deployment” to the “Protect the Graph” Facebook page. The post revealed statistics collected by Facebook on the security of their notification emails, and showed that while nearly 60 percent were encrypted, nearly half of those failed strict validation.

The primary reason for validation failure was the name on the certificate not matching the hostname, and Facebook urged industry cooperation to develop better tools to prevent mismatched certificates.

The post also urged those providers who had not yet deployed STARTTLS to do so, noting that the protocol had achieved critical mass.

“When we posted in May about the state of STARTTLS deployment, we had no idea that we would see such significant changes to email encryption across the industry in just a few short months,” Adkins said.

Facebook’s data shows that encryption rates rocketed from near 60 to over 90 percent within the month of May, and that strict validation jumped from under 40 percent to 70 percent at the same time. In mid-June, strict validation abruptly jumped from 70 to 95 percent, where both total encrypted and strict validation rates have stayed since.

Yahoo added encryption to its data center traffic and made it a default setting for its webmail service in April, just ahead of deploying STARTTLS. Yahoo also announced earlier this month at Black Hat that it was cooperating with Google to ensure the security of emails between the two providers, as the necessity of sorting out the two-way-street of email security becomes a provider priority due to greater industry and media scrutiny brought on by NSA surveillance.

Certificate use and the attention they get have also increased as part of the evolution of web security, but it is not immediately obvious what caused the dramatic improvement Facebook found in June.

Add Your Comments

  • (will not be published)