Last month Apple confirmed that it would soon beef up encryption for iCloud email following a report detailing security flaws in major email services. While Apple previously encrypted emails sent between its own iCloud customers, now the company has enabled encryption for emails in transit between iCloud and third-party services for me.com and mac.com email addresses.
The change is documented on Google’s transparency website that shows the percentage of emails encrypted in transit for both inbound and outbound email exchanges (pictured below):
Apple is yet to make an official announcement for the changes.
The change is a welcomed one for users following several media reports noting that Apple was one of the last global email providers based in the US not providing encryption for email between providers. However, there are already reports that Apple’s method of encryption might not be as secure as security experts hoped. A translated report from Heise.de, which examined the new methods of encryption, notes that Apple is using the RC4 encryption algorithm that it claims leaves much to be desired in terms of possible eavesdropping. A security researcher we spoke to said RC4-128 (which is the version of RC4 Apple is believed to be using) is far weaker than AES-128. The researcher also noted there has been suggestions, though not yet proof, that the NSA has broken RC4-128.
We’ve reached out to Apple for a comment on the new encryption methods and will update if we hear back.