While the US government's legal campaign to force Apple to undermine the encryption on the iPhone used by San Bernardino shooter Syed Farook awaits the FBI's exploration of a possible security bypass, technology companies are continuing their efforts to strengthen encryption across other communications channels.
Since Edward Snowden's 2013 revelations about the expansive digital surveillance capabilities of US intelligence agencies, technology companies have been scrambling to make data at rest and in transit more secure.
Apple's adoption of default device encryption in iOS 8 represented a major shift in the security landscape, but other companies have been active too. Google, for example, made HTTPS connections mandatory for Gmail in 2014. That same year, Microsoft enabled Transport Layer Security encryption (TLS) for Hotmail.com, Live.com, MSN.com, and Outlook.com, and enabled Perfect Forward Secrecy (PFS) for OneDrive. Also in 2014, Facebook urged companies to adopt STARTTLS encryption for email.
In 2015, Google let its cloud customers provide their own encryption keys. Also last year Microsoft introduced a feature called Always Encrypted in SQL Server 2016 and enhanced Office 365 Message Encryption.
This long-running lockdown advanced further on Friday when a group of software engineers from Comcast, Google, LinkedIn, Microsoft, Yahoo, and 1&1 Mail & Media Development submitted a draft proposal to the Internet Engineering Task Force that describes SMTP Strict Transport Security (SMTP STS), a method for making email more secure.
SMTP, or Simple Mail Transport Protocol, was not designed for security. Related protocols like TLS (the successor to SSL) provide some protection by encrypting email messages between the client application and the server. STARTTLS provides a mechanism to upgrade unprotected connections to TLS.
But there are still ways to compromise online security -- specifically by means of attacks that can downgrade or intercept SMTP sessions despite the presence of TLS and STARTTLS security.
SMTP STS aims to close the gaps that allow TLS email encryption to be degraded. "SMTP Strict Transport Security protects against an active attacker who wishes to intercept or tamper with mail between hosts who support STARTTLS," the proposal explains.
The proposal outlines the mechanism for domains receiving messages to publish policies that describe TLS support, how TSL certificates and published policies can be authenticated, how failures can be reported, and how mail servers should respond to failures.
If adopted, SMTP STS should make online communication more secure. However, it's unclear how long the process to approve the protocol will take. But with such tech heavyweights backing it, it is should move forward, particularly if the companies involved start implementing it within their own offerings.
Email is already moving in that direction, albeit slowly. According to Google, about 83% of outgoing Gmail messages are encrypted, up from around 79% a year ago. Among incoming Gmail messages, 69% are now encrypted, up from about 55% a year ago.