Google announced that starting this week, Gmail Web users will receive warnings when an email conversation they’re having with someone else is either not encrypted or not authenticated.
Google has been a strong promoter of email encryption for the past few years, especially after the Snowden revelations, when it became more clear to Google as well as other email providers that they need to accelerate their adoption of STARTTLS, which is presently the main TLS-based encryption standard for email.
Not all providers are on board, though, especially many smaller ones. This is why a good portion of email is either not encrypted at all, or if it is, it’s not authenticated, and a man-in-the-middle (mainly national governments) could easily intercept those communications. In a prior study, Google found that as many as 20 percent of emails sent from several countries were susceptible to man-in-the-middle attacks.
The company is now working to lower that rate further by encouraging small providers to increase their services’ security by adopting STARTTTLS encryption and authentication such as DKIM (DomainKey Identified Email) or SPF (Sender Policy Framework).
Google’s solution is to show a broken lock icon in the right corner of the Compose window, which will mean that your contact’s email service doesn’t support encryption.
If you a receive a message from someone, but it’s not authenticated, their profile image will look like a question mark.
Google said that not all email messages that will be affected will necessarily be dangerous, but it’s better to be extra careful when you see that broken lock icon.
Although Google is making some serious efforts to improve TLS encryption for all emails, we haven’t heard much about its End-to-End tool lately, which was supposed to bring strong encryption to the masses. End-to-End uses PGP to encrypt messages with the users’ keys, so no one -- not Google itself nor anyone who might have access to Google’s servers -- can read them anymore, either.
However, since Google launched Inbox as an alternative client to its email service, it has started to look increasingly less likely that the company would adopt strong encryption. A service such as Inbox would not work with strong encryption, at least until homomorphic encryption becomes more mature and much faster.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.