Opportunistic encryption


Opportunistic encryption (OE) refers to an Encryption concept that, when connecting to another system, attempts to encrypt the communications channel, otherwise falling back to unencrypted communications.

Opportunistic encryption requires no pre-arrangement between the two systems.

Opportunistic encryption can be used to combat passive wiretapping. (An active wiretapper, on the other hand, can disrupt encryption negotiation to either force an unencrypted channel or perform a Man-In-The-Middle attack on the encrypted link.) It does not provide a strong level of security as authentication may be difficult to establish and secure communications are not mandatory. Yet, it does make the encryption of most Internet traffic easy to implement, which removes a significant impediment to the mass adoption of Internet traffic security.

Opportunistic encryption on the Internet is described in a few documents:


Mozilla started to roll out Opportunistic encryption in Firefox version 37 in [2015] wand was quickly rolled back (in update 37.0.1) due to a serious vulnerability that could bypass SSL Certificate Validation.

Opportunistic TLS is used with in IMAP, POP3 and ACAP (RFC 2595) and SMTP (RFC 3207) using StartTLS extensions implementation where it is not necessary to obtain a certificate from a Certificate Authority, as a Self-signed Certificate can be used. These may be subject to Strip

More Information#

There might be more information for this subject on one of the following: