Billions of supposedly private e-mail messages a day flow through unsecured links, where they can be snared in digital dragnets operated by the National Security Agency and other intelligence services.
Recent revelations about NSA surveillance -- including a top-secret document discussing "collection of communications on fiber cables and infrastructure as data flows past" -- have highlighted the ease with which government eavesdroppers can exploit the Internet's infrastructure. Another classified document, which the Guardian published yesterday, mentions network-based surveillance of Hotmail servers.
But during the next step, when those e-mail messages are transferred from one company's servers to another's, they're rarely encrypted. An e-mail message a Facebook user addresses to a Yahoo Mail user, for instance, will be delivered in an unencrypted form through a server-to-server connection that provides no protection against surveillance.
"The incentives aren't really there for companies to try to implement it," says Ashkan Soltani, an independent security consultant. That's the case even though, he says, enabling encryption is "a really easy thing to do."
A survey of top mail providers shows that Google is alone in using strong encryption, known as SMTP-TLS, to fully armor e-mail connections for its users. SMTP-TLS also protects employee e-mail at security-conscious companies, large law firms, and sensitive government agencies including the NSA, the White House, and the Department of Homeland Security. (You can check on your own provider by typing in your e-mail address at CheckTLS.com.)
Unfortunately, those are the exceptions. Facebook, Hotmail, Yahoo Mail, and AOL Mail do not accept incoming e-mail in SMTP-TLS encrypted form, meaning hundreds of millions of users' private communications are vulnerable to monitoring. Both the sending and receiving servers must have encryption turned on for a secure connection to happen.
"My sense is that Google is the one large company that has demonstrated it cares about crypto," says Dan Auerbach, a staff technologist at the Electronic Frontier Foundation in San Francisco. "We think [encryption] should obviously be supported by all these mail servers."
One reason why so many mail providers don't encrypt server-to-server mail links using SMTP-TLS is that, unlike browser encryption, this security precaution would be invisible to users. And the fat pipes that backbone providers provide have historically been viewed as safe. (SMTP-TLS stands for Simple Mail Transfer Protocol Transport Layer Security. TLS was published as an Internet protocol in 1999.)
Adam Langley, a software engineer at Google, told CNET that "we do support TLS" for both inbound and outbound exchanges between mail servers. But, diplomatically, he declined to speculate on why many other companies do not. The company even offers its Google Apps users the high security choice of rejecting non-encrypted connections.
A Facebook spokesman said: "Facebook currently supports user-to-server encryption, but does not currently support server-to-server encryption as we have not seen wide adoption of the protocol. We are open to adoption to this or other protocols in the future as they are used by more services." A Yahoo representative said: "At Yahoo!, we invest heavily in the security of our users and we're continually looking to enhance the security capabilities of our products." AOL did not respond to queries.
