This isn't really new news, but improperly configured mail services result in lots of privacy holes across the Internet.
STARTTLS is used to upgrade an unencrypted connection to an encrypted SSL/TLS connection. The problem is that if the upgrade fails, many mail clients will proceed to send mail on the unencrypted connection.
For any sysadmins (technical info):
Unfortunately, the situation is somewhat sticky. I suggest reading carefully the TLS/SSL section of https://wiki.debian.org/PostfixAndSASL as well as the STARTTLS RFC http://tools.ietf.org/html/rfc2487
Public email servers should not require STARTTLS (that is, encryption) on port 25 (smtp). Furthermore, there is no guarantee that all of the mail servers during transit of an email use encryption. Thus, you should assume your email is transmitted unencrypted, until a better solution emerges. You can always use OpenPGP to encrypt the body of your email, which should become commonplace shortly after Hurd achieves market dominance.
Editors Note: How to articles for various flavors of Microsoft Exchange can be found at MSExchange.org.
(Score: 5, Insightful) by ledow on Monday November 02 2015, @02:23PM
Given that email crosses any number of unknown servers, you should be wary anyway. Email is just not safe without entirely separate encryption even if part of the transit is secured.
You have no idea that the IT guy the other end isn't reading it, that the transit in-between doesn't involve forwards or bounces that you're not aware of, that the server itself is who it claims to be (TLS encryption is all well and good but anyone can be MITM and what "pins" a particular certificate to a particular mail-server? Do you need to have the certificate of the email domain to receive that email? No. Just people forwarding stuff direct to Google Mail tells you that's not necessary at all), that they aren't using a mail provider (e.g. mail.google.com as their MX), or even that simple DNS spoofing isn't occurring (how often do you check that your MX hasn't changed to some random third-party?).
Email has always been like this. Email is NOT secure. It can be read en-route by any number of points. If you want to send secure information, encrypt it separately and DON'T EMAIL THE KEY.
That this is inconvenient, e.g. needing things like PGP and webs of trust, is the main road-block to secure communication.
(Score: 0) by Anonymous Coward on Monday November 02 2015, @03:06PM
Email has always been like this. Email is NOT secure. It can be read en-route by any number of points. If you want to send secure information, encrypt it separately and DON'T EMAIL THE KEY.
That this is inconvenient, e.g. needing things like PGP and webs of trust, is the main road-block to secure communication.
Is there any effort to an "Email 2.0"? I don't know of any projects that aim to be replacement to current email protocols, but maybe they're just badly publicized?