Web giants are collaborating to fix some of the problems that expose STARTTLS to attacks that downgrade encrypted connections to insecure ones.
Amazon, Facebook, Google, Microsoft, Yahoo, and others have all started supporting STARTTLS
, an extension that can upgrade plain text connections on the Simple Mail Transfer Protocol (SMTP) to encrypted ones.
But according to recent research, contributed to by Google, one of the problems with this "opportunistic encryption" enabled by STARTTLS is that the system "favors failing open", which means that even if something isn't right, the email will still be sent unencrypted, also known as 'in the clear'.
The design is meant to encourage adoption of STARTTLS. However, the research highlights that attackers are easily able to use network devices to force a downgrade to non-encrypted channels...