Best practice for mail servers is to enable TLS by default, which means that when this mail server communicates with other mail servers, it encrypts the connection to thwart eavesdropping. Although the practice (sometimes called “opportunistic encryption”) started out as something only paranoid organizations participated in, it’s now so widespread that Google warns you if you try to use Gmail to send a message to someone whose server does not accept encrypted connections.
It is therefore surprising that the Metropolitan Police Service in London does not use it.
“If you were to email me at [email protected], it would appear to be sent with no level of encryption, which is surprising as most organizations currently use TLS and email via HTTPS by default.” Alan Woodward, a visiting professor at the University of Surrey who reviewed the results, told Motherboard in a Twitter post. In short, anyone who might intercept emails from this server in transit – perhaps an internet service provider or someone spying on the sender’s or recipient’s network – needn’t worry. because the encryption interferes with the content of the e-mail.
The MPS also uses another email domain, which is part of the National Police Network, which comes with TLS. But it is the MPS’s own domain that does not benefit from the same protections.
The MPS acknowledged several requests for comment this week, but did not provide a response.
London cops’ emails sent without encryption, open to interception