Earlier in June Apple informed NPR that it will soon implement an important security measure: encrypting iCloud email in transit. Apple did previously encrypt email sent between iCloud servers, but didn’t implement STARTTLS for emails in transit between providers.
Those following Google’s Email Transparency Report website could watch how Apple is slowly and steadily implements encryption, how the percentage of outbound and inbound email grows. As of July 9, the current status of the iCloud mail encryption can be seen in the image below:
After testing the encryption method, German site heist.de — which, by the way, was the first one to notice that lack of encryption for email in transit, notes that Apple uses the RC4 encryption algorithm. Although, given the potential for eavesdropping, may not be the best alternative.
According to a security expert who spoke with 9to5Mac, the RC4-128 encryption Apple is believed to be using with STARTTLS, is much weaker than AES-128, as the NSA may have broken the RC4-128 encryption, although he couldn’t provide evidence to support this.