[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Article on TLS, Transport Layer Security

(Note:  I, Jim Bell, am cross posting this article from Yahoo, not because I  believe it to be 'accurate' (I have no opinion on that), but because I believe that we need to not merely hear 'The Truth', but also 'The Story', specifically the story (stories) that the Internet-based news media is telling the public.)


From its start in 1971, Internet-based email has not been known for its high security. As security researcher Bruce Schneier wrote in a 1995 essay for Macworld on the privacy perils of email: â??Itâ??s like a postcard that anyone can read along the way.â?? 
That unfortunate fact is finally fracturing. Email is getting safer for you â?? provided that your mail service and your correspondentâ??s both use a standard called â??TLS,â?? short for Transport Layer Security. Finally, Google and other providers are starting to turn on TLS for the public.
Read more: 4 Ways Your Email Provider Can Encrypt Your Messages

TLS, then and now
The move to the use of TLS could have happened more than five years ago: A 1.0 version of the TLS specification emerged only four years after Schneierâ??s essay, and the current 1.2 version dates to 2008. But even as mail services secured peopleâ??s log-ins, they did not take the extra step of scrambling their messages while in transit.
Those who knew this would commonly comfort themselves with the lost-in-the-crowd theory of security: With some 183 billion messages a daysent back and forth, who would possibly have the time to look for one in particular? 
Then one year ago, Edward Snowden began giving a crash course in National Security Agency surveillance, which had the policy and, for the first time in history, the technology to collect everything first and index it later. 
After a few weeks of Snowdenâ??s revelations, CNETâ??s Declan McCullagh made a simple observation: Gmail supported TLS, but other major email services did not, meaning that a huge chunk of the worldâ??s email could be inspected by the NSA and its ilk, because for TLS to work, both sides of an email conversation have to support it.
To make it more difficult for the NSA to simply absorb the worldâ??s email, more tech companies took an active interest in TLS, including Yahoo Techâ??s publisher, Yahoo, which had lagged in its support for encryption, according to the Washington Post.
Progress and confusion
With the growing use of TLS, the odds are now lower that your email is going out on a postcard. In mid-May, a study by Facebook found that 58 percent of the social networkâ??s email notifications to members were going out encrypted. And last week, Google posted similar numbers: 71 percent of messages from Gmail to elsewhere went out encrypted, while 50 percent of those received by Gmail also arrived locked.
Thereâ??s your good news: Weâ??ve fixed a core defect in email and reduced the capability of well-meaning friends, family, and business partners to inadvertently risk your privacy by sending sensitive data about you in their own email. And with TLS, you donâ??t have to install any software or change any settings to get its advantage.
The bad news: Itâ??s hard to figure out if your own provider has done its part. 
Googleâ??s regularly updated transparency report now includes a section on â??encryption in transitâ?? that lets you check to see if other large mail services do TLS. But it can yield confusing results, and smaller systems (say, your employerâ??s) donâ??t show up. 
You can also check for TLS use on any site at STARTTLS.info.
Should you switch?
If you spend any time experimenting with STARTTLS.info, youâ??ll quickly see how badly many consumer Internet providersâ?? mail services lag behind webmail. Comcast is turning on TLS one provider at a time, and CenturyLink already supports it. But Time Warner Cable, Verizon, and Cox have not announced plans to enable TLS.
Among webmail companies, Yahoo followed Gmail by turning on TLS in the first quarter of this year, AOL has done the same, and Microsoft is â??currently rolling out TLS,â?? a spokesperson said. 
Checks of Appleâ??s services show patchy support, and the company did not answer a request for clarification.
There are good reasons to separate your email from your ISP â?? starting with not having to worry about running out of online storage or having to send hundreds of change-of-address notices if you switch providers. But webmail has its own privacy issue: Most of these services are paid for by ads that target the words in your messages. 
The price to evade the NSAâ??s eyes doesnâ??t have to include subjecting your email to your providerâ??s advertising robots. Among the four big webmail services that now use TLS, Microsoft and Yahoo let you pay to clean the ads from your account  ( $19.95 a year at Microsoft, $49.99 a year at Yahoo), while Google will open a new, $50/year ad-free Google Apps account  for you at the domain name of your choice.
But how many of you have exercised any of those ad-free options?
Email Rob at [email protected]; follow him on Twitter at@robpegoraro.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20140610/f15c4240/attachment.html>