Raising the Shields – Part 11: My Email Hoster uses Perfect Forward Secrecy Now

Email certificate infoOne of the few positive outcomes of the ongoing spying scandal is that German email hosters have announced to improve security for email exchanged between them by introducing encryption. In addition, many of them have now upgraded their security for SMTP, POP and IMAP connectivity to their customers as well. When I recently run a trace of the email traffic between me and my provider I was positively surprised to see that they now use TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) as a cipher suite with clients that support it (e.g. Thunderbird in my case on my notebook and K9 email on Android). ECDH stands for Elliptic Curve Diffie Hellman, an algorithm that to generate temporary cipher keys which can't be reconstructed even if the SSL certificate used during session establishment falls into the wrong hands later on. Hence it's called 'Perfect Forward Secrecy'. For details of what this means, have a look at this previous post. While my data is still stored on the server as clear text this at least prevents casual eavesdropping by those analyzing all data that runs through a transmission link. And that suits me just fine!