Opportunistic encryption in SMTP is here (mostly)

Facebook published their outgoing SMTP stats on 13th of May. The situation is much better than what we previously thought.

Few high points:

  • 76% of hosts that Facebook contacted to send email support STARTTLS and correctly negotiated secure connection
  • 56% of outgoing email gets encrypted using TLS
  • out of encrypted email, over 98% used Perfect Forward Secrecy

The bad:

  • only 25% of domains have matching, trusted and still valid certificates
  • this falls down to 6.6% for unique MX hosts
  • and includes 59.6% of all mail
  • nearly 50% of email was transferred using the possibly passively-crackable RC4 cipher
  • the same issue affects close to 20% of domains

In summary, it looks like we are on very good road for strict certificate checking using DANE in SMTP.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s