Explained: How ‘TLS’ Keeps Your Email Secure
(Rob Pegoraro/Yahoo Tech)
From its start in 1971, Internet-based email has not been known for its high security. As security researcher Bruce Schneier wrote in a 1995 essay for Macworld on the privacy perils of email: “It’s like a postcard that anyone can read along the way.”
That unfortunate fact is finally fracturing. Email is getting safer for you — provided that your mail service and your correspondent’s both use a standard called “TLS,” short for Transport Layer Security. Finally, Google and other providers are starting to turn on TLS for the public.
Read more: 4 Ways Your Email Provider Can Encrypt Your Messages
TLS, then and now
The move to the use of TLS could have happened more than five years ago: A 1.0 version of the TLS specification emerged only four years after Schneier’s essay, and the current 1.2 version dates to 2008. But even as mail services secured people’s log-ins, they did not take the extra step of scrambling their messages while in transit.
Those who knew this would commonly comfort themselves with the lost-in-the-crowd theory of security: With some 183 billion messages a day sent back and forth, who would possibly have the time to look for one in particular?
Then one year ago, Edward Snowden began giving a crash course in National Security Agency surveillance, which had the policy and, for the first time in history, the technology to collect everything first and index it later.
After a few weeks of Snowden’s revelations, CNET’s Declan McCullagh made a simple observation: Gmail supported TLS, but other major email services did not, meaning that a huge chunk of the world’s email could be inspected by the NSA and its ilk, because for TLS to work, both sides of an email conversation have to support it.
To make it more difficult for the NSA to simply absorb the world’s email, more tech companies took an active interest in TLS, including Yahoo Tech’s publisher, Yahoo, which had lagged in its support for encryption, according to the Washington Post.
Progress and confusion
With the growing use of TLS, the odds are now lower that your email is going out on a postcard. In mid-May, a study by Facebook found that 58 percent of the social network’s email notifications to members were going out encrypted. And last week, Google posted similar numbers: 71 percent of messages from Gmail to elsewhere went out encrypted, while 50 percent of those received by Gmail also arrived locked.
There’s your good news: We’ve fixed a core defect in email and reduced the capability of well-meaning friends, family, and business partners to inadvertently risk your privacy by sending sensitive data about you in their own email. And with TLS, you don’t have to install any software or change any settings to get its advantage.
The bad news: It’s hard to figure out if your own provider has done its part.
Google’s regularly updated transparency report now includes a section on “encryption in transit” that lets you check to see if other large mail services do TLS. But it can yield confusing results, and smaller systems (say, your employer’s) don’t show up.
You can also check for TLS use on any site at STARTTLS.info.
Should you switch?
If you spend any time experimenting with STARTTLS.info, you’ll quickly see how badly many consumer Internet providers’ mail services lag behind webmail. Comcast is turning on TLS one provider at a time, and CenturyLink already supports it. But Time Warner Cable, Verizon, and Cox have not announced plans to enable TLS.
Among webmail companies, Yahoo followed Gmail by turning on TLS in the first quarter of this year, AOL has done the same, and Microsoft is “currently rolling out TLS,” a spokesperson said.
Checks of Apple’s services show patchy support, and the company did not answer a request for clarification.
There are good reasons to separate your email from your ISP — starting with not having to worry about running out of online storage or having to send hundreds of change-of-address notices if you switch providers. But webmail has its own privacy issue: Most of these services are paid for by ads that target the words in your messages.
The price to evade the NSA’s eyes doesn’t have to include subjecting your email to your provider’s advertising robots. Among the four big webmail services that now use TLS, Microsoft and Yahoo let you pay to clean the ads from your account ( $19.95 a year at Microsoft, $49.99 a year at Yahoo), while Google will open a new, $50/year ad-free Google Apps account for you at the domain name of your choice.
But how many of you have exercised any of those ad-free options?
Email Rob at [email protected]; follow him on Twitter at @robpegoraro.