Microsoft, Google, Others Push For Encrypted Email Protocols
Tech giants including Google, Microsoft, and Yahoo have banded together to proposed a method for making email more secure.
iPhone SE, Smaller iPad Pro Unveiled: Up Close Look
(Click image for larger view and slideshow.)
While the US government's legal campaign to force Apple to undermine the encryption on the iPhone used by San Bernardino shooter Syed Farook awaits the FBI's exploration of a possible security bypass, technology companies are continuing their efforts to strengthen encryption across other communications channels.
Since Edward Snowden's 2013 revelations about the expansive digital surveillance capabilities of US intelligence agencies, technology companies have been scrambling to make data at rest and in transit more secure.
Apple's adoption of default device encryption in iOS 8 represented a major shift in the security landscape, but other companies have been active too. Google, for example, made HTTPS connections mandatory for Gmail in 2014. That same year, Microsoft enabled Transport Layer Security encryption (TLS) for Hotmail.com, Live.com, MSN.com, and Outlook.com, and enabled Perfect Forward Secrecy (PFS) for OneDrive. Also in 2014, Facebook urged companies to adopt STARTTLS encryption for email.
This long-running lockdown advanced further on Friday when a group of software engineers from Comcast, Google, LinkedIn, Microsoft, Yahoo, and 1&1 Mail & Media Development submitted a draft proposal to the Internet Engineering Task Force that describes SMTP Strict Transport Security (SMTP STS), a method for making email more secure.
SMTP, or Simple Mail Transport Protocol, was not designed for security. Related protocols like TLS (the successor to SSL) provide some protection by encrypting email messages between the client application and the server. STARTTLS provides a mechanism to upgrade unprotected connections to TLS.
But there are still ways to compromise online security -- specifically by means of attacks that can downgrade or intercept SMTP sessions despite the presence of TLS and STARTTLS security.
SMTP STS aims to close the gaps that allow TLS email encryption to be degraded. "SMTP Strict Transport Security protects against an active attacker who wishes to intercept or tamper with mail between hosts who support STARTTLS," the proposal explains.
The proposal outlines the mechanism for domains receiving messages to publish policies that describe TLS support, how TSL certificates and published policies can be authenticated, how failures can be reported, and how mail servers should respond to failures.
If adopted, SMTP STS should make online communication more secure. However, it's unclear how long the process to approve the protocol will take. But with such tech heavyweights backing it, it is should move forward, particularly if the companies involved start implementing it within their own offerings.
Email is already moving in that direction, albeit slowly. According to Google, about 83% of outgoing Gmail messages are encrypted, up from around 79% a year ago. Among incoming Gmail messages, 69% are now encrypted, up from about 55% a year ago.
Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Top IT Trends to Watch in Financial ServicesIT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Join us for a roundup of the top stories on InformationWeek.com for the week of September 25, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."