Best practice for mail-servers is to turn on TLS by default, which means that when that mail server talks to other mail servers, it encrypts the connection to thwart eavesdroppers. Though the practice (sometimes called "opportunistic encryption") started out as something only paranoid organizations partook of, it's now so widespread that Google warns you if you attempt to use Gmail to send a message to someone whose server won't accept encrypted connections.
So it's surprising that London's Metropolitan Police Service doesn't use it.
"If you were to send me an email at x@met.police.uk it looks as it if would be sent in with no level of encryption, which is surprising as most organisations these days use TLS, and send email over HTTPS by default," Alan Woodward, a visiting professor at the University of Surrey who looked over the results, told Motherboard in a Twitter message. In short, anyone who might intercept emails from this server while in transit—maybe an internet service provider, or someone snooping on either the sender or the recipient's network—doesn't have to worry about encryption getting in the way of the email's content.The MPS does use another email domain too—part of the police national network—that does come with TLS. But it is the MPS' own domain that does not come with the same protections.
The MPS acknowledged several requests for comment this week, but did not provide a response.
London Cops' Emails Sent With No Encryption, Open to Interception
[Joseph Cox/Motherboard]
