Microsoft, Google, Others Push For Encrypted Email Protocols - InformationWeek
Mobile // Mobile Devices
12:06 PM
Connect Directly

Microsoft, Google, Others Push For Encrypted Email Protocols

Tech giants including Google, Microsoft, and Yahoo have banded together to proposed a method for making email more secure.

iPhone SE, Smaller iPad Pro Unveiled: Up Close Look
iPhone SE, Smaller iPad Pro Unveiled: Up Close Look
(Click image for larger view and slideshow.)

While the US government's legal campaign to force Apple to undermine the encryption on the iPhone used by San Bernardino shooter Syed Farook awaits the FBI's exploration of a possible security bypass, technology companies are continuing their efforts to strengthen encryption across other communications channels.

Since Edward Snowden's 2013 revelations about the expansive digital surveillance capabilities of US intelligence agencies, technology companies have been scrambling to make data at rest and in transit more secure.

Apple's adoption of default device encryption in iOS 8 represented a major shift in the security landscape, but other companies have been active too. Google, for example, made HTTPS connections mandatory for Gmail in 2014. That same year, Microsoft enabled Transport Layer Security encryption (TLS) for,,, and, and enabled Perfect Forward Secrecy (PFS) for OneDrive. Also in 2014, Facebook urged companies to adopt STARTTLS encryption for email.

(Image: Pixabay)

(Image: Pixabay)

In 2015, Google let its cloud customers provide their own encryption keys. Also last year Microsoft introduced a feature called Always Encrypted in SQL Server 2016 and enhanced Office 365 Message Encryption.

This long-running lockdown advanced further on Friday when a group of software engineers from Comcast, Google, LinkedIn, Microsoft, Yahoo, and 1&1 Mail & Media Development submitted a draft proposal to the Internet Engineering Task Force that describes SMTP Strict Transport Security (SMTP STS), a method for making email more secure.

SMTP, or Simple Mail Transport Protocol, was not designed for security. Related protocols like TLS (the successor to SSL) provide some protection by encrypting email messages between the client application and the server. STARTTLS provides a mechanism to upgrade unprotected connections to TLS.

Are you prepared for a new world of enterprise mobility? Attend the Wireless & Mobility Track at Interop Las Vegas, May 2-6. Register now!

But there are still ways to compromise online security -- specifically by means of attacks that can downgrade or intercept SMTP sessions despite the presence of TLS and STARTTLS security.

SMTP STS aims to close the gaps that allow TLS email encryption to be degraded. "SMTP Strict Transport Security protects against an active attacker who wishes to intercept or tamper with mail between hosts who support STARTTLS," the proposal explains.

The proposal outlines the mechanism for domains receiving messages to publish policies that describe TLS support, how TSL certificates and published policies can be authenticated, how failures can be reported, and how mail servers should respond to failures.

If adopted, SMTP STS should make online communication more secure. However, it's unclear how long the process to approve the protocol will take. But with such tech heavyweights backing it, it is should move forward, particularly if the companies involved start implementing it within their own offerings.

Email is already moving in that direction, albeit slowly. According to Google, about 83% of outgoing Gmail messages are encrypted, up from around 79% a year ago. Among incoming Gmail messages, 69% are now encrypted, up from about 55% a year ago.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll