Google announced a new collaboration with other major companies, including Microsoft, Yahoo and Comcast, to implement a new protocol that would ensure all email remains encrypted in transit. Google also introduced a new page in its Safe Browsing system that will encourage those under attack by governments to increase their security by using SMS-based two-factor authentication or a physical Security Key.
Earlier this year, Google introduced some notifications in Gmail that would alert users before they would send their email to another address that doesn’t use encryption. According to Google, this has had the effect of increasing the amount of email sent over encrypted connections by 25 percent.
However, Google also found out from the recent research it has done with the Universities of Michigan and Illinois that attackers could still tamper with email encryption. That’s why it collaborated with Microsoft, Yahoo, and Comcast to create the SMTP Strict Transport Security standard to ensure that email travels only through encrypted channels. Any issues with the encryption would also be reported so that the companies can better understand where the attacks are happening.
Since 2012, Google has begun warning Gmail users of state-sponsored attacks. According to the company, only 0.1 percent of its users have been the targets of such attacks, although considering Gmail has hundreds of millions of users, that’s still hundreds of thousands of attacked users. The targets typically include activists, journalists and policy-makers.
For those that are targeted by state-sponsored attackers, Google launched a new warning page that also acts as an instructions page for how to increase their own security. The users can enable SMS-based two-factor authentication or a FIDO U2F-enabled Security Key.
Although these new security features should help email encryption become stronger, the state-of-the-art remains end-to-end encryption, such as the one employed by PGP-based tools. Ultimately, most of these companies working on the new email encryption protocol rely on revenue from advertising, which implies data mining their users’ email contents.
That’s why it's in direct conflict with end-to-end encryption, because only the users communicating with each other could see the email contents. Google was supposed to also work on the End-To-End encryption browser plugin, but so far progress has been rather slow on that front. Even if it’s eventually finished, it likely won’t be used or promoted as a default solution for most Gmail users.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.
Looking through my password library, I have a dozen financial and government accounts, five credit card accounts, about 20 shopping accounts, and about 40 membership type accounts (Netflix, UPS, my web host, etc). If every single one of them insisted I use their proprietary two-factor app, it would be insane. So I boycott the sites which won't let me use an app like Authy.
All modern mail clients support S/MIME and signing automatically, so once you've installed each other's certificates it's pretty painless, though you may need to renew them every now and then.
What we really need are more tools to make this easier. None of the mail clients bundled with an operating system seem to have tools for generating encryption/signing certificates built in which is a pretty big omission and makes things more difficult. It would even make sense if there were a way to persistently advertise the public key for an address; while this would let anyone send you encrypted messages, it wouldn't be likely to be used by spammers as they would need to individually encrypt every message that they currently indiscriminately send out in bulk.
True. Let me add an asterisk to my statement clarifying that it shouldn't require a proprietary app.