Monday, March 5, 2012

Email is not always sent in the clear!

Heard this information in an article today from Marketplace Tech report which is here which contains information and content from a computerworld article here.

"email is not even transmitted encrypted, it's transmitted in the clear" - David Jefferson, a computer scientist at Lawrence Livermore National Laboratories and chairman of the election watchdog group Verified Voting.

This is completely false for some email. Period.

Misinformation or misleading things in the news bother me so this I felt compelled to write about. Email is not necessarily sent in the clear. Yes it can be however that's not always the case. I suppose some email may be transmitted in the clear by older systems and people that have configured their systems to act that way. Same as if you wanted to you could mail someone cash through the postal service, yes you could do that if you wanted to, but the statement of "everyone sends cash through the postal service" would be false.

So the question of course is how much email is transmitted this way? Well, Microsoft Exchange email systems had a 65% market share as of 2009 (1) so it's safe to say at least a significant portion of email traffic flows through Microsoft Exchange Email servers. The exact percentage of "how much email is sent in the clear versus encrypted" would be a bit challenging for me to quantify and is beyond my means so is not something I can answer.

However it is important to note that modern email systems have the ability (if not the default) to transmit via an encrypted connection. This is done in some cases via TLS or can be done via "opportunistic TLS" as Microsoft has implemented. You could even (in situations requiring higher security) require all mail sent to you to be encrypted.

Microsoft Exchange 2007 (2) and 2010 (3) have this feature enabled by default and as such if the other end supports it, they will encrypt their email sent to said systems.

It looks like sendmail (popular linux SMTP software) also by default will try to establish a TLS session when sending email. (4)

Yes this method of sending email in an encrypted manner is not a perfectly secure system, nor are most (if any) systems perfectly secure. However to state that email is sent "in the clear" is only partially true at best. For a hypothetical organization dealing with voting, they could easily require encryption of all email sent to them which would mean no hypothetical votes would be emails sent "in the clear"


1 - http://www.microsoft.com/presspass/features/2009/jan09/01-16qascult.mspx

2 - http://technet.microsoft.com/en-us/library/bb430753(v=exchg.80).aspx

3 - http://technet.microsoft.com/en-us/library/bb430753.aspx

4 - http://www.sendmail.org/m4/starttls.html#disable_starttls

2 comments:

sep332 said...

Your email client might pull emails form the server over TLS, but that's not what he's talking about. If you send an email from a comcast.com account to a gmail.com account, that email will be sent in the clear between those servers.

Dan said...

There are options in both cases (server to client and server to server) to either enable or disable TLS. With Microsoft Exchange and Sendmail the server to server connections with try to negotiate TLS by default. Yes if google or comcast disabled TLS then the email would be sent in the clear. My point was 1) that there ARE options out there to do encryption for server to server communication and 2) that some servers have this enabled by default.