IoT
IoT
Mobile // Mobile Devices
News
3/23/2016
12:06 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft, Google, Others Push For Encrypted Email Protocols

Tech giants including Google, Microsoft, and Yahoo have banded together to proposed a method for making email more secure.

iPhone SE, Smaller iPad Pro Unveiled: Up Close Look
iPhone SE, Smaller iPad Pro Unveiled: Up Close Look
(Click image for larger view and slideshow.)

While the US government's legal campaign to force Apple to undermine the encryption on the iPhone used by San Bernardino shooter Syed Farook awaits the FBI's exploration of a possible security bypass, technology companies are continuing their efforts to strengthen encryption across other communications channels.

Since Edward Snowden's 2013 revelations about the expansive digital surveillance capabilities of US intelligence agencies, technology companies have been scrambling to make data at rest and in transit more secure.

Apple's adoption of default device encryption in iOS 8 represented a major shift in the security landscape, but other companies have been active too. Google, for example, made HTTPS connections mandatory for Gmail in 2014. That same year, Microsoft enabled Transport Layer Security encryption (TLS) for Hotmail.com, Live.com, MSN.com, and Outlook.com, and enabled Perfect Forward Secrecy (PFS) for OneDrive. Also in 2014, Facebook urged companies to adopt STARTTLS encryption for email.

(Image: Pixabay)

(Image: Pixabay)

In 2015, Google let its cloud customers provide their own encryption keys. Also last year Microsoft introduced a feature called Always Encrypted in SQL Server 2016 and enhanced Office 365 Message Encryption.

This long-running lockdown advanced further on Friday when a group of software engineers from Comcast, Google, LinkedIn, Microsoft, Yahoo, and 1&1 Mail & Media Development submitted a draft proposal to the Internet Engineering Task Force that describes SMTP Strict Transport Security (SMTP STS), a method for making email more secure.

SMTP, or Simple Mail Transport Protocol, was not designed for security. Related protocols like TLS (the successor to SSL) provide some protection by encrypting email messages between the client application and the server. STARTTLS provides a mechanism to upgrade unprotected connections to TLS.

Are you prepared for a new world of enterprise mobility? Attend the Wireless & Mobility Track at Interop Las Vegas, May 2-6. Register now!

But there are still ways to compromise online security -- specifically by means of attacks that can downgrade or intercept SMTP sessions despite the presence of TLS and STARTTLS security.

SMTP STS aims to close the gaps that allow TLS email encryption to be degraded. "SMTP Strict Transport Security protects against an active attacker who wishes to intercept or tamper with mail between hosts who support STARTTLS," the proposal explains.

The proposal outlines the mechanism for domains receiving messages to publish policies that describe TLS support, how TSL certificates and published policies can be authenticated, how failures can be reported, and how mail servers should respond to failures.

If adopted, SMTP STS should make online communication more secure. However, it's unclear how long the process to approve the protocol will take. But with such tech heavyweights backing it, it is should move forward, particularly if the companies involved start implementing it within their own offerings.

Email is already moving in that direction, albeit slowly. According to Google, about 83% of outgoing Gmail messages are encrypted, up from around 79% a year ago. Among incoming Gmail messages, 69% are now encrypted, up from about 55% a year ago.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of September 25, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.