EFF Launches Encryption Initiative for Email Domains Named STARTTLS Everywhere

  • 0

EFF Launches Encryption Initiative for Email Domains Named STARTTLS Everywhere

Category : Uncategorized

EFF Launches Encryption Initiative for Email Domains Named STARTTLS Everywhere

EFF (Electronic Frontier Foundation) announced a new project named STARTTLS Everywhere that aims to provide guidance to server administrators on how to set up a proper email server that runs STARTTLS the correct way.

STARTTLS Everywhere is eerily similar to Let’s Encrypt, another pro-encryption initiative the EFF launched together with Mozilla and Cisco two years ago.

But this initiative aims to bring encrypted communications to email servers, instead of web servers (Let’s Encrypt’s purpose).






STARTTLS is an addition to SMTP, which allows one email server to say to the other, “I want to deliver this email to you over an encrypted communications channel.” The recipient email server can then say “Sure! Let’s negotiate an encrypted communications channel.” The two servers then set up the channel and the email is delivered securely, so that anybody listening in on their traffic only sees encrypted data. In other words, network observers gobbling up worldwide information from Internet backbone access points (like the NSA or other governments) won’t be able to see the contents of messages while they’re in transit, and will need to use more targeted, low-volume methods.

STARTTLS works by allowing two email servers that want to send/receive an email to exchange certificates and set up an encrypted communications channel between the two. Once the encrypted channel is secured, the sending server transmits the email in an encrypted form, which is then decrypted on arrival.





STARTTLS already deployed on 89% of all email servers

STARTTLS is not new by any stretch of the imagination. The SMTP standard extension was approved in 1999, and according to Google’s latest Email Transparency Report, it’s already deployed on 89% of all email servers currently online.

But despite its huge reach, EFF experts say STARTTLS is often misconfigured.

Anyone can interpose himself between two email servers and use an invalid certificate to pose as the recipient or sender, as most email servers fail to verify the provided certificate’s authenticity.

Furthermore, due to a lapse in STARTTLS’ design, STARTTLS-encrypted email communication channels can be downgraded to sending the email message in cleartext, instead of an encrypted form.

This “feature” was designed for situations where one server does not support STARTTLS, but during the past few years, security researchers and privacy advocates have often spotted ISPs in various countries intentionally downgrading STARTTLS to cleartext for various purposes that range from state-wide surveillance to user tracking and advertising.





STARTTLS Everywhere is like Let’s Encrypt, but for email

The EFF says this is where its latest project, STARTTLS Everywhere, will be able to help.

“STARTTLS Everywhere provides software that a sysadmin can run on an email server to automatically get a valid certificate from Let’s Encrypt,” the EFF says. “This software can also configure their email server software so that it uses STARTTLS, and presents the valid certificate to other email servers.”

“Finally, STARTTLS Everywhere includes a ‘preload list’ of email servers that have promised to support STARTTLS, which can help detect downgrade attacks. The net result: more secure email, and less mass surveillance.”





Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 


Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Other Location for Online Courses:




Leave a Reply

Show Buttons
Hide Buttons