Big tech companies like Google, Microsoft, Yahoo, Comcast and LinkedIn are joining hands to make all your email messages encrypted. What does that mean?
Encryption in simple terms means turning your information into a garbled collection of strings that doesn’t make sense to a person who does not hold the key to decrypt your information. In terms of email encryption, it means when your email is travelling through the Internet, the information, the message or the attachments your email message contains cannot be comprehended if your message has been encrypted. The party on the other side will need a mechanism to first decrypt your message and then read it.
It protects potentially sensitive information from being read by an unintended or an unauthorized person.
Why is email encryption important? These days lots of information moves to and fro with email. You can retrieve your online banking passwords with your email. You can carry out credit card transactions. Your email inbox may contain your medical records, your sensitive family details, the images that you wouldn’t like to share with anybody else, I mean, everything these days happens through email and once a person has access to your email, he or she pretty much has access to your entire life. So yes, email encryption is very important for you.
Another thing is, these days we can use the Internet anywhere. You might be checking your email while sitting in an airport lounge or at the bus station using the public Wi-Fi or at the mall using the Wi-Fi connection of the restaurant or shop you are sitting in. These are not secure connections. When you’re sending emails or receiving them, they can be easily intercepted. If your messages are encrypted, even if they are intercepted, the person intercepting the messages cannot make sense of them because these messages a garbled and in order to be read, an authentication key is needed.
In simple terms, if your email message is encrypted, while it is travelling through the length and breadth of the Internet, the data and the details that it contains appear garbled.
Ideally, email encryption should happen without direct involvement of the people using the email service. Ideally, people shouldn’t have to bother about email encryption. It should be taken care of by the company providing the email service.
This is what technology giants like Microsoft, Google, LinkedIn, Yahoo and Comcast are trying to achieve.
Right know Gmail uses email encryption, but it can be easily intercepted. A hacker can easily insert a fake digital certificate and the system will recognize it as an authentic certificate. TLS (Transport Layer Security) encryption is supported by Google and the company claims that 70% of Gmail’s inbound messages are received over SSL, but in most of the cases, the service falls back to the plain-text without the user knowing it.
Most of the email communication happens using SMTP (Simple Mail Transfer Protocol), which is not very secure. SMTP STARTTLS was invented a few years ago but it wasn’t adopted widely. Besides, sometimes it’s encryption doesn’t work. There is a term called “man-in-the-middle” – an action – that can be used to warn the person that the domain where the email is being sent does not support encryption.
According to the new proposal submitted to the Internet Engineering Task Force regular email exchanges must be protected against attackers who want to intercept or modify email in transit by either impersonating the destination server or by breaking SSL through various existing attacks. The proposal has been prepared by the engineers from Google, Yahoo, Comcast, Microsoft, LinkedIn and 1&1 Mail & Media Development.
Before sending the email, the sending server will automatically check if the destination domain supports SMTP STS (STS stands for Strict Transport Security) and also encryption. It will also check if the certificate is valid before sending the email. If these criteria are not met, the email won’t be delivered and you will be notified why your email cannot be delivered.
The proposal says, “SMTP STS is a mechanism enabling mail service providers to declare their ability to receive TLS-secured connections, to declare particular methods for certificate validation, and to request sending SMTP servers to report upon and/or refuse to deliver messages that cannot be delivered securely.”
Is it something totally new? Although we have been using email since time immemorial (in Internet years) the technology used to ferry around digital messages hasn’t been seriously upgraded in terms of security. Many technologies are in place, but they have long existed on the web, but not in your inbox. The latest proposal aims to plug this whole.