EFF has released STARTTLS Everywhere: free tools to encrypt email between mail servers

When you send someone else an email, your mail server connects to their mail server to transmit the message, and spy agencies have made a surveillance banquet out of these transactions, harvesting emails by the billions.

A protocol called STARTTLS allows mail servers to encrypt the traffic between them, frustrating criminals, spies, corporate spies, and other nefarious parties (though bad guys have figured out ways to trick mail servers into skipping the encryption step in order to keep snooping).

STARTTLS is a pain for mail server administrators to set up, though, from the process of getting the encryption certificates to configuring the mail server to use them (including taking the countermeasures to stop spies from bypassing the encryption).

So the Electronic Frontier Foundation -- as part of its ongoing quest to encrypt the whole internet (see also: Certbot, Let's Encrypt, HTTPS Everywhere, and related toold) -- has just released STARTTLS Everywhere, an automated tool that generates the certificates, helps install and configure them, and double-checks the configuration to make sure everything is safe and secure.

Unless you run your own mail server, you can't do anything with this: but you can (and should) send it along to whomever administers your email and get them to have a look. It's totally free, and solves a real problem, widely observed in the wild, of mass email surveillance.

STARTTLS Everywhere provides software that a sysadmin can run on an email server to automatically get a valid certificate from Let’s Encrypt. This software can also configure their email server software so that it uses STARTTLS, and presents the valid certificate to other email servers. Finally, STARTTLS Everywhere includes a “preload list” of email servers that have promised to support STARTTLS, which can help detect downgrade attacks. The net result: more secure email, and less mass surveillance.

Mailserver admins can read more about how STARTTLS Everywhere’s list is designed, how to run it on your mailserver, and how to get your mailserver added to the preload list.

Announcing STARTTLS Everywhere: Securing Hop-to-Hop Email Delivery [Sydney Li and Jeremy Gillula/EFF]