[iw] - DOD finally deploys START/TLS

Richard Forno rforno at infowarrior.org
Tue Mar 9 17:18:28 EST 2021

(Wow....this seems like a no-brainer.  Color me kind of surprised it took 'em this long to do it.  --rick)

The Pentagon had an email security problem. The pandemic fixed it.

< - >

The root of the problem: The Pentagon never fully implemented a widely used security protocol, known as STARTTLS, that makes it easier for email servers to exchange encrypted messages. The protocol was created in 2002, but over the years the  department enabled it only for communications with a handful of external agencies.

Even when the Pentagon overhauled its email safeguards in 2017 and 2018, its Defense Information Systems Agency opted not to buy a security certificate that would vouch for the authenticity of DoD emails — instead creating its own, less universally accepted version.

The setup ensured that Pentagon emails could be encrypted as long as they remained within the department’s networks. But messages lost that protection once they reached the outside world, where most email systems didn’t trust the department’s homegrown certificate.

The pandemic changed all that, by hastening efforts to adopt STARTTLS for all traffic crossing DoD’s email gateway.

< - >

DDS ultimately spent $3,000 to purchase a certificate from a company called Entrust. “Spending $3,000 to secure over 2 million email accounts was a drop in the bucket to resolve a lingering issue and significantly improve our security posture,” Goldstein said.

<. - >

The shift by DoD drew applause from people who have urged wider adoption of STARTTLS following former NSA contractor Edward Snowden’s revelations of government mass surveillance in 2013. But some had only limited praise for the department’s decision to finally catch up with the rest of the world.

Alexis Hancock, a technologist at the Electronic Frontier Foundation, said the move warrants only a “golf clap” because calls for adopting STARTTLS became more urgent and widespread post-Snowden.

< - >

More information about the Iw mailing list