How safe are Facebook’s notification emails?

shutterstock_172532459

When Facebook sends out emails about notifications — such as a tagged photo or a friend request — it’s usually encrypted with plain text communication protocol STARTTLS, creating a more secure connection. The program has been around for 15 years, but Facebook heard it wasn’t widely deployed. The company wanted to test their own email systems to see how many notification emails were encrypted with STARTTLS.

Facebook found that 76 percent of unique MX hostnames that receive email notifications (which can be in the billions per day) support STARTTLS. Then 58 percent of notification emails are successfully encrypted. Certificate validation passes for roughly half of encrypted email and the other half is opportunistically encrypted. Facebook pointed out that 74 percent of hosts that support STARTTLS also provide Perfect Forward Secrecy.

Facebook’s Michael Adkins, a Mail Integrity Engineer, explained the methodology of this test:

Facebook sends several billion emails to several million domains every day. This is mostly comprised of notification emails about various activities on Facebook as well as account-related emails such as registration confirmations and password resets. We used a single day’s worth of our notification email logs from our production system for this report, since our goal here is to show a snapshot of current deployments rather than configuration changes over time. These logs contain the kind of data you would expect to find in any email server logs, such as the sender and recipient, where the email came from, and where we are sending it. For the purposes of this report we only concern ourselves with the STARTTLS results, the recipient’s domain, the MX hostname we connected to, and the receiving email server’s IP address.

Adkins also made his pitch for wider adoption of STARTTLS:

STARTTLS encryption is widely supported and has achieved critical mass despite some issues with certificate management. A system deploying STARTTLS support for the first time can expect more than half of its outbound email to be encrypted. Also, the majority of deployments provide Perfect Forward Secrecy. We see two high priority areas for improvement. First, we encourage the industry to work together to develop better tools for preventing mismatched certificates. Second, we encourage everyone to deploy support for opportunistic encryption via STARTTLS.

Image courtesy of Shutterstock.

Social Media 101

Mediabistro Course

Social Media 101

Get hands-on social media training for beginners! Starting November 10, hear from our expert speakers on the  best practices for getting set up on the major social media platforms, how to create meaningful content, and engage with your audience across sites. Register now!

 

Leave a Reply

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

Account Executive- Healthcare PR and Social Media

Berry & Company Public Relations
New York, NY

Online Social Media Manager

WellPoint
Chicago, IL

Assistant Professor in Publishing

Emerson College
Boston, MA

Multimedia Specialist/Social Media Manager

Ohio Northern University
Ada, OH

Social Media Manager

The Culinary Institute of America
Poughkeepsie, NY

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More
 

Our Sponsors

Mediabistro A division of Prometheus Global Media home | site map | advertising/sponsorships | careers | contact us | help courses | browse jobs | freelancers | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us