Why aren’t more news organizations protecting their e-mail with STARTTLS encryption?


We found that news organizations like the Associated Press, Le Monde, LA Times, CBS News, Forbes, Baltimore Sun, and Der Spiegel are still not protecting journalists and their sources from this type of surveillance, and are putting all of the people who communicate with them at risk of being spied on.

Lazy, complicit or merely inept? Sometimes it’s hard to tell the difference. Reckon one can fall back on Hanlon’s Razor and say “Never attribute to malice that which is adequately explained by stupidity”, but after a time on some issues, I think that Hanlon’s Razor needs a sharper edge. At some point complicity (read “malice”) must be considered. And since it’s not like these organizations don’t know…


For many years, I was personally responsible for securing the internet-facing mail servers for the LA Times, Chicago Tribune, and Baltimore Sun (all Tribune properties). Policy was to discourage reporters from using corporate email infrastructure to communicate with any sensitive source.

All of these papers still use shared email infrastructure, and I am unsurprised they haven’t implemented STARTTLS. It was a constant battle to not give up security for performance, and the situation only got worse under Sam Zell.


Boing Boing itself doesn’t implement SSL on it’s homepage…they keep posting articles like this, but they haven’t done anything to protect their users…from people snooping on what we are reading, from potential false or fake news items inserted via man-in-the-middle…or just not increasing the amount of encrypted traffic to make it harder to sort through…all news sites should implement SSL…seems pretty basic…


STARTTLS only protects one hop. Most email goes through at least two hops – from a client machine to the ISP’s SMTP server, then from the ISP’s SMTP server to the destination. Most people have no control over whether their ISP implements STARTTLS or not, and furthermore, no way of knowing whether their ISP’s email server is compromised by the NSA or not.

In short, blaming media companies alone for the situation is insufficient. Yes, they should turn on STARTTLS support. But unless the forwarding ISP’s also support encryption, and the popular email programs (Outlook, Apple Mail, Thunderbird) also start supporting talking directly to destination email servers via encrypted connections, that does not do a lot of good.

Note that the final alternative – sending directly to destination servers on port 465/587 with SSL or STARTTLS – is utterly impossible. The problem is spam. My email server is deluged with spam. First off, most IP addresses are blacklisted either on the DYNDNS lists or because they’re known spammers, so you’re not connecting to my email server from your house. Furthermore, without SPF/DKIM records authenticating the sending email server via its SPF record in the DNS system, most email gets rejected. But these mail server authentication protocols basically enforce the two-hop paradigm, since you at your house on a dynamic IP aren’t going to have a SPF record for your IP. No entity which receives any significant amount of email can survive on today’s Internet without rejecting connections from the majority of IP addresses. There’s just too much spam out there, you’ll be deluged unless you do that. It’s just impossible. Been there. Done that. Know first-hand.

So: Why aren’t they doing it? Probably because the way things currently work on the Internet, where thanks to spammers most email is forced through fixed ISP SMTP servers that don’t themselves implement STARTTLS, it wouldn’t help. Thank you, spammers!


I can’t even tell if this is snark - but didn’t we recently learn SSL is completely compromised?

As a reminder to @Boundegar @badtux99 @georgebell @ACE and @Romberry “never let facts get in the way of an internet outrage.”

STARTTLS is trivially vulnerable to man-in-the-middle downgrade attacks, which the various surveillance agencies can easily and cheaply set up. If you want your mail transport to be secure, you have to use an SSL-only connection, not an SSL-optional connection. So although I think the criticism raised here is valid, the proposed solution is useless.


They aren’t using it because it’s not turned on by default in Microsoft Exchange.

This topic was automatically closed after 5 days. New replies are no longer allowed.