Opportunistic encryption requires no pre-arrangement between the two systems.
Opportunistic encryption can be used to combat passive wiretapping. (An active wiretapper, on the other hand, can disrupt encryption negotiation to either force an unencrypted channel or perform a Man-In-The-Middle attack on the encrypted link.) It does not provide a strong level of security as authentication may be difficult to establish and secure communications are not mandatory. Yet, it does make the encryption of most Internet traffic easy to implement, which removes a significant impediment to the mass adoption of Internet traffic security.
Opportunistic encryption on the Internet is described in a few documents:
- RFC 7435 - Opportunistic Security: Some Protection Most of the Time
- RFC 8164 - Opportunistic Security for HTTP2
Implementations#Mozilla started to roll out Opportunistic encryption in Firefox version 37 in  wand was quickly rolled back (in update 37.0.1) due to a serious vulnerability that could bypass SSL Certificate Validation.
Opportunistic TLS is used with in IMAP, POP3 and ACAP (RFC 2595) and SMTP (RFC 3207) using StartTLS extensions implementation where it is not necessary to obtain a certificate from a Certificate Authority, as a Self-signed Certificate can be used. These may be subject to Strip