New M3AAWG Guidelines Recommend Opportunistic TLS as Quick Fix to Protect End-Users From Pervasive Monitoring
December 2014 by M3AAWG
M3AAWG Initial Recommendations outlines a short set of strategic best practices to help the thousands of regional and midsized service providers, and businesses in general, protect end-users from potential eavesdropping or password theft. The Messaging, Malware and Mobile Anti-Abuse Working Group today released the paper to encourage the adoption of opportunistic TLS and other basic encryption measures as essential practices worldwide at all organizations managing their own mail servers.
The Internet Architect Board, a committee of the IETF standards organization, issued a statement in November strongly urging operators "to deploy encryption where it is not yet deployed," reflecting a growing industry consensus described in a M3AAWG video discussion on encrypted email with Facebook and Google messaging engineers. Recognizing that the technology to support this effort often involves substantial time and planning, the M3AAWG paper points out three basic steps organizations can take to relatively quickly protect a significant volume of their email traffic.
The recommendations are applicable to organizations involved with email services, including email service providers, network operators, Internet Service Providers and mailbox providers. They also should be implemented at large corporations and at the mid to small businesses that often operate their own mail servers.
"The Internet is a cooperative effort and no one operator can completely secure their users’ email, even with the most stringent policies. The only way to shield end users from the pervasive monitoring and cybercrime prevalent today is if operators and businesses everywhere step up to the challenge and apply the necessary measures to safeguard messages as they travel to their final destinations. The M3AAWG recommendations on opportunistic TLS outline technologies operators can implement right now as an initial step to protect the email that flows through their servers and to preserve users’ trust in the safety of the Internet," said Chris Roosenraad, M3AAWG Chairman of the Board.
The current default has been that email transits through the Internet without any encryption. The best practices outlined in TLS for Mail: M3AAWG Initial Recommendations (https://www.m3aawg.org/sites/maawg/...) advocate using encryption at three points:
Turning on the opportunistic encryption option in TLS for all mail servers — this will cause the system to automatically try to encrypt the communications channel when receiving email from other systems or sending email. TLS generates an ad-hoc key and does not require a prearranged key exchange, simplifying the encryption process.
Encrypting email traffic on internal service provider networks
Using encryption to protect users’ passwords
The M3AAWG Pervasive Monitoring Special Interest Group is also developing a series of best practices that will provide detailed guidance on implementing opportunistic TLS and address other relevant issues. The SIG co-chairs announced the recommendations that were released today and explain the group’s roadmap going forward in a video included in the Pervasive Monitoring Playlist on the M3AAWG YouTube channel at www.youtube.com/maawg.
About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.M3AAWG.org) represents more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, M3AAWG is driven by market needs and supported by major network operators and messaging providers.
M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); Constant Contact (NASDAQ: CTCT); Cox Communications; Damballa, Inc.; Facebook; Google; LinkedIn; Mailchimp; Orange (NYSE: ORA) (EURONEXT: ORA); PayPal; Return Path; Time Warner Cable; Verizon Communications; and Yahoo! Inc.
M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; AOL; BAE Systems Detica; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Dyn; iContact/Vocus; Internet Initiative Japan (IIJ) (NASDAQ: IIJI); Level3; Litmus; McAfee Inc.; Microsoft Corp.; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; Proofpoint; Scality; Spamhaus; Sprint; Symantec; and Twitter.
A complete member list is available at http://www.m3aawg.org/about/roster