On the most part, emails have become part of our lives and at this point in time, it’s safe to assume that anyone with an active Internet connection is sending and receiving emails on a daily basis, whether for personal, professional reasons or otherwise. However, as widely popular as electronic mailing has become over the years, it turns out that emails are not as secure as one might think. Most emails are actually sent as unencrypted text using SMTP (Simple Mail Transfer Protocol), which is a rather old protocol in itself and quite vulnerable. The good news is that Google, Microsoft, Comcast, LinkedIn, Yahoo, and 1&1 Mail & Media Development have teamed up and recently submitted a new proposal to the Internet Engineering Task Force (IETF) for a different protocol, in a quest to make our emails more secure.
As it currently stands, an email sent using SMTP (Simple Mail Transfer Protocol) can be intercepted by a third party user (hacker), which can tell the sender’s browser that SSL encryption is inactive. The email is then sent unencrypted without the sender’s knowledge. Fortunately, a new proposal from Google, Microsoft, Yahoo, Comcast, LinkedIn, and 1&1 Mail & Media Development aims to fix this vulnerability by introducing a new protocol. In theory, by using the new standard, a user’s email is protected from attackers who may want to intercept an email in transit through TLS / SSL vulnerabilities. The protocol should achieve this by verifying if the email’s recipient supports encryption before the email is actually sent out. Assuming that the certificate is valid, the email is then securely sent; otherwise, if the destination doesn’t support encryption, the email will fail to deliver and the client will inform the user as to why this is happening.
Google reports that in the last year, 83% of sent emails, and 70% of emails received through Gmail have been using TLS encryption. However, the system is not bulletproof and certain issues can cause these encrypted emails to revert to unencrypted text, thus compromising privacy and security. The proposed standard can technically fix these problems, but it remains to be seen when or if the Internet Engineering Task Force will approve it. Nevertheless, since the protocol has been co-written and proposed by some of the largest email providers in the industry, it may become the new standard sooner rather than later.