If you are ambivalent about using STARTTLS — an extension that’s used to upgrade an insecure network connection between mail providers to an encrypted one — for your email encryption purposes, Facebook thinks you should give it a shot, as detailed in a Facebook blog post Tuesday.
The post by Facebook mail integrity engineer Michael Adkins details how Adkins conducted a short study to see whether or not mail providers are actively using STARTTLS. Adkins and Facebook were under the impression that the capability was not widely deployed throughout the industry.
To conduct the study, Adkins and his team analyzed a day’s worth of the company’s notification email logs, which contained data pertaining to “several billion emails to several million domains.” The majority of that data dealt with account-related notifications, like registration confirmations.
The Facebook team kept tabs on each SMTP server — the internet standard for sending emails — that claimed it could handle the STARTTLS extension, and found that 60 percent of the emails that Facebook sent to each servers were delivered via an encrypted connection. Adkins wrote that this “is an encouragingly high percentage.”
The posting also goes into detail about how mismatched certificates, as in the case where a security certificate does not match the hostname, led to the delivery of unencrypted emails, even though the server that received those emails advertised STARTTLS compatibility.
From the study’s results, Adkins concluded that the industry needs to come up with better ways to handle mismatched certificates and he urged everyone to use STARTTLS for encryption purposes.
Adkins’ sentiments echo comments made by Twitter’s Josh Aberant in a March posting on Twitter’s engineering blog that mentions how the company started using STARTTLS in January. In the blog, Aberant praised Gmail and AOL Mail for supporting the capability and urged other email providers to prioritize it if they haven’t already done so.