Google, Microsoft, Yahoo ... Unveil New Email Security Standard

    Engineers from the largest email service providers have teamed up to improve the security of email traffic on the Internet.

    Designed by engineers from Google, Microsoft, yahoo, Comcast, Linkedin, 1 & 1 Mail & Media Development & Technology, the SMTP Strict Transport Security protocol is a new mechanism that allows Email providers to define policies and rules for establishing encrypted connections.


    The new mechanism is a draft that was published late last week for consideration as the standard for Internet Engineering Task Progress (IETF).

    Simple Mail Protocol (SMTP), which is used to send messages between mail clients and servers, is usually from one provider to another dated in 1982 and does not provide for its own encryption.

    For this reason, in 2002, an extension called STARTTLS was added to the protocol, which allows the use of TLS (transport layer security) technology in SMTP connections. Unfortunately, over the next decade, it was not widely used, and Email traffic between the servers was for the most part not encrypted.

    Everything changed after 2013, when, not without the help of a former NSA employee, Edward Snowden, secret documents leaked, which highlighted the facts of widespread surveillance of the Internet by secret services of the United States, Britain and other countries.

    In May 2014, Facebook, which sends billions of alerts to users every day, ran a test and found that 58% of these emails were sent over connections encrypted using STARTTLS. In August of that year, the figure rose to 95 percent.

    However, there is a problem, unlike HTTPS (secure HTTP), STARTTLS allows the use of opportunistic encryption. It does not pass the validation of digital certificates on email servers, even those that cannot pass this test are allowed, traffic encryption is still better than nothing.

    This means that STARTTLS connections are vulnerable even to “man-in-the-middle” attacks. when an attacker intercepts traffic, where any sender certificates may be present, even self-signed, and they can be obtained, which will make it possible to decrypt traffic in the future. Moreover, STARTTLS connections are vulnerable to so-called disarmament attacks, when encryption can be simply removed.

    The addresses provided by SMTP with Strict Transport Protection (SMTP STS) addresses both of these issues. This gives email providers the ability to connect to clients that have TLS present and should be used. It also tells the second one how the sent certificate should be checked and what should happen if the TLS connection can be unsafe.

    These SMTP STS policies define special DNS records added to the domain names of mail servers. The protocol provides a mechanism for automatically validating these policies and alerts for any unforeseen situations.

    Servers can also provide clients with a cache of their SMTP STS policies and indicate their lifespan, determine the procedure for dealing with attackers using the “man-in-the-middle” technique with fake policies, when the latter try to connect.

    The proposed protocol is similar to HSTS, which means preventing HTTPS from “downgrade” attacks by caching HTTPS domain name policies in the browser. This, however, assumes that the first connection with this client to the server is made without interruptions; otherwise fraudulent policies can also be cached.

    According to recent Google data, 83% of email messages sent by Gmail users to other email providers are encrypted, but only 69% of incoming emails from other providers are received through an encrypted channel.

    As there are many discrepancies in email encryption between regions around the world, providers in Asia and Africa are much worse than their European and American counterparts.

    Original article: http://www.infoworld.com/article/3046850/security/google-microsoft-yahoo-and-others-publish-new-email-security-standard.html

    PS: I urge constructive criticism of the translation, thanks.

    Also popular now: