Email Security Likely to Get Boost

John Lister's picture

Some of the biggest tech firms have joined together to call for new standards that could make emails more secure. The proposals have gone to the Internet Engineering Task Force, which develops voluntary but widely used technical standards for the Internet.

These days around 30 percent of Internet traffic from North American users is encrypted, meaning that if somebody intercepts it on route, they'll struggle to be able to read it. That figure is expected to jump to 60 percent this year, though that's largely a quirk caused by a change in policy by Netflix. In any case, it's now common for sensitive data such as medical or financial information and private messages to be encrypted going to and from websites.

Most Email Still Unsecured

However, most email uses a technology called SMTP remains unencrypted, meaning that anyone who is able to intercept it can read it without problems just as if they'd opened a letter or read a postcard before it was delivered. Many companies that offer web-based email encrypt messages, but that doesn't protect content sent from standalone email applications. (Source: thenextweb.com)

There is an existing encryption standard with the unwieldy name of SMTP STARTTLS, but it has a major technical flaw. This flaw makes it possible for hackers to effectively trick email software into sending a message unencrypted, without the sender realizing what happened. Because of this shortcoming, this method isn't widely used.

New System Works Like Secure Web Pages

Now, many of the major email providers including Comcast, Google, Microsoft, Yahoo have proposed a new solution called SMTP STS. It's a somewhat complex technical solution, but the key principle is that before an email is sent, there's a check with the destination server to make sure it is indeed the intended recipient and that it can handle and decrypt the intended message.

This brings two major benefits. The first is that the encryption process will now work in a similar way to secure web pages, with a complete check in advance to make sure the message will get through safely and securely. (Source: pcmag.com)

The second is that the technology is set up so that if a message can't get through securely, the sender will get a delivery failure message that highlights the potential security risk.

What's Your Opinion?

Do you know much about the security of the emails you send, particularly in comparison to using secure websites? Are you surprised that many emails still go without encryption? Do you think the support of such major tech players will overcome the challenge of getting a new standard widely accepted and used?

Rate this article: 
Average: 4.9 (7 votes)

Comments

Dennis Faas's picture

Encrypting emails while sending from the user to the server is great, but as far as I understand, email encryption ends right there unless all servers involved in relaying the emails to its final destination are also encrypted. As such, I'd like to see an easy-to-integrate solution for Mail Transport Agents (MTAs) as well.

alan.cameron_4852's picture

Email security not the real problem. The real problem is authentication.
Knowing that the sender has been authenticated and is who they say they are is much more important. Eliminate spoofed addresses and phishing emails.

allecnarf_6704's picture

Some people are under the illusion that TLS (Transport Layer Security) provides protection, but nothing could be further from the truth. As the name suggests, TLS only provides protection during a single transport leg. It does not protect the message at the source or the destination, nor any of the MTA's in between. The only way to truly protect a message is to encrypt it at source, and decrypt it at the final destination. And as long as the encryption key is under the control of the mail server, there is still the potential for big brother to coerce the MSP into giving up the key. See http://www.yellowhead.com/ESecure.htm for more detail.

J.A. Coutts

matt_2058's picture

I think that when the major tech players get involved, changes will happen. And how they implement the new standards will determine if it is a good thing. We need a good standard or two to accommodate the many types of info being exchanged these days.

Remember PGP? No motives on the supplier side, so it was a good intention. I see Apple's current features the same way...good for the people and business. But if Apple has a master key and hands it out...bad for the people.

Not really email security, but the interception of data:
The biggest failure I see is the introduction of additional parties. The doctor or hospital does not manage your medical records...a contractor does, and that probably changes every so often. Same with a home mortgage and many other things. The dissemination of your information by the third party is widespread and out of control. They have hackers beat by a longshot. They may not be demanding a ransom, but they have it all the same and are using it in ways you didn't approve.

In the end, what's the point of security if third parties (known or unknown) have the key?

ecash's picture

Its funny..
All this about encryption,
And they cant find those SPAM locations, even when I send a decrypted email to FCC/FBI/CIA/DA...

Iv suggested that emails need to be fixed, long ago. the only thing I wished for, as that EACH server it ran threw would add a Tag so that it could be traced back..
Its to easy to FAKe an email location, and most of the data we can read. at least we could get to the main server with a tag trace..

INXS9000RPM's picture

Seeing that MS is among the design team of SMTP - STS, my instincts tell me security (privacy protection of emailed data) cannot be trusted. With MS' history of surreptitiously tracking/logging everything performed on WinXP and upward Windows systems, you can be sure there will be a customizable backdoor feature.