How safe are Facebook’s notification emails?

shutterstock_172532459

When Facebook sends out emails about notifications — such as a tagged photo or a friend request — it’s usually encrypted with plain text communication protocol STARTTLS, creating a more secure connection. The program has been around for 15 years, but Facebook heard it wasn’t widely deployed. The company wanted to test their own email systems to see how many notification emails were encrypted with STARTTLS.

Facebook found that 76 percent of unique MX hostnames that receive email notifications (which can be in the billions per day) support STARTTLS. Then 58 percent of notification emails are successfully encrypted. Certificate validation passes for roughly half of encrypted email and the other half is opportunistically encrypted. Facebook pointed out that 74 percent of hosts that support STARTTLS also provide Perfect Forward Secrecy.

Facebook’s Michael Adkins, a Mail Integrity Engineer, explained the methodology of this test:

Facebook sends several billion emails to several million domains every day. This is mostly comprised of notification emails about various activities on Facebook as well as account-related emails such as registration confirmations and password resets. We used a single day’s worth of our notification email logs from our production system for this report, since our goal here is to show a snapshot of current deployments rather than configuration changes over time. These logs contain the kind of data you would expect to find in any email server logs, such as the sender and recipient, where the email came from, and where we are sending it. For the purposes of this report we only concern ourselves with the STARTTLS results, the recipient’s domain, the MX hostname we connected to, and the receiving email server’s IP address.

Adkins also made his pitch for wider adoption of STARTTLS:

STARTTLS encryption is widely supported and has achieved critical mass despite some issues with certificate management. A system deploying STARTTLS support for the first time can expect more than half of its outbound email to be encrypted. Also, the majority of deployments provide Perfect Forward Secrecy. We see two high priority areas for improvement. First, we encourage the industry to work together to develop better tools for preventing mismatched certificates. Second, we encourage everyone to deploy support for opportunistic encryption via STARTTLS.

Image courtesy of Shutterstock.

Tumblr Marketing

Mediabistro Course

Tumblr Marketing

Starting December 1, learn how to market using the most popular visual blog! In this course, you’ll learn how to develop a strategy for your own Tumblr account, get people to read and share your content, and integrate your marketing efforts with other social platforms. Register now!

 

Leave a Reply

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

Advertising Campaign Manager

Amazon
New York, NY

Web Content Specialist

Philadelphia College of Osteopathic Medicine
Atlanta, GA

Web Producer

InvestmentNews
New York, NY

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More
 

Our Sponsors

Mediabistro A division of Prometheus Global Media home | site map | advertising/sponsorships | careers | contact us | help courses | browse jobs | freelancers | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us