Google announced a new collaboration with other major companies, including Microsoft, Yahoo and Comcast, to implement a new protocol that would ensure all email remains encrypted in transit. Google also introduced a new page in its Safe Browsing system that will encourage those under attack by governments to increase their security by using SMS-based two-factor authentication or a physical Security Key.
Earlier this year, Google introduced some notifications in Gmail that would alert users before they would send their email to another address that doesn’t use encryption. According to Google, this has had the effect of increasing the amount of email sent over encrypted connections by 25 percent.
However, Google also found out from the recent research it has done with the Universities of Michigan and Illinois that attackers could still tamper with email encryption. That’s why it collaborated with Microsoft, Yahoo, and Comcast to create the SMTP Strict Transport Security standard to ensure that email travels only through encrypted channels. Any issues with the encryption would also be reported so that the companies can better understand where the attacks are happening.
Since 2012, Google has begun warning Gmail users of state-sponsored attacks. According to the company, only 0.1 percent of its users have been the targets of such attacks, although considering Gmail has hundreds of millions of users, that’s still hundreds of thousands of attacked users. The targets typically include activists, journalists and policy-makers.
For those that are targeted by state-sponsored attackers, Google launched a new warning page that also acts as an instructions page for how to increase their own security. The users can enable SMS-based two-factor authentication or a FIDO U2F-enabled Security Key.
Although these new security features should help email encryption become stronger, the state-of-the-art remains end-to-end encryption, such as the one employed by PGP-based tools. Ultimately, most of these companies working on the new email encryption protocol rely on revenue from advertising, which implies data mining their users’ email contents.
That’s why it's in direct conflict with end-to-end encryption, because only the users communicating with each other could see the email contents. Google was supposed to also work on the End-To-End encryption browser plugin, but so far progress has been rather slow on that front. Even if it’s eventually finished, it likely won’t be used or promoted as a default solution for most Gmail users.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.