Is Email Confidential in Transit Yet?
18 hours ago
- #TLS-encryption
- #email-security
- #server-authentication
- Email in transit between servers is not fully confidential; while over 90% of traffic uses TLS, many servers use opportunistic TLS without certificate verification, leaving them vulnerable to active attacks.
- Mandatory TLS is not a default policy due to a small percentage of unencrypted email from key domains (e.g., financial institutions), making it impractical for large providers.
- Adoption of DANE and MTA-STS for secure server authentication is low (0.9% and 1.2% respectively among domains), though MTA-STS adoption is growing faster.
- Even sensitive emails like password resets (e.g., from AWS) are sent without TLS enforcement, relying on multi-factor authentication for security.
- Active attacks like STARTTLS stripping have been observed globally, with significant downgrade rates in some countries, highlighting ongoing risks.
- Recommendations include enabling MTA-STS or DANE, ensuring CA-issued TLS certificates, and encouraging providers to adopt and report on transit security policies.