Home IT companies Google, Microsoft, Yahoo… unveiled new Email security standard

Google, Microsoft, Yahoo… unveiled new Email security standard

by admin

Engineers from the biggest email service providers have teamed up to improve the security of email traffic on the Internet.
Invented by engineers at Google, Microsoft, yahoo, Comcast, Linkedin, 11 Mail Media Development Technology, the "SMTP Strict Transport Security" protocol is a new mechanism that allows Email providers to define policies and rules to establish encrypted connections.
The new mechanism is a draft that was published at the end of the previous week for consideration as the Internet Engineering Task Advancement (IETF) standard.
A simple mail protocol (SMTP) used to send messages between mail clients and servers, usually from one ISP to another dates back to 1982 and does not provide its own encryption.
For this reason, in 2002 an extension was added to the protocol called STARTTLS, which enabled TLS (transport layer security) technology for SMTP connections. Unfortunately, over the next decade, it was not widely used, and Email traffic between servers was mostly unencrypted.
That all changed after 2013, when, not without the help of former NSA employee Edward Snowden, secret documents were leaked that highlighted widespread Internet surveillance by the secret services of the United States, Britain and other countries.
In May 2014, Facebook, which sends billions of alerts to users every day, ran a test and found that 58 percent of those emails were sent over STARTTLS-encrypted connections. For August of that year, the figure rose to 95 percent.
However, there is a problem, unlike HTTPS(secure HTTP), STARTTLS allows for opportunistic encryption. It does not pass the validation of digital certificates on email servers, even those that can not pass this check are allowed, encryption of traffic is still better than nothing.
This means that STARTTLS connections are vulnerable even to "man-in-the-middle" attacks. When an attacker intercepts traffic, where there may be any sender’s certificates, even self-signed, and they can be retrieved which will allow to decrypt traffic in the future. Moreover, STARTTLS connections are vulnerable to so-called disarming attacks, when the encryption can be simply removed.
Provided SMTP with Strict Transport Protection (SMTP STS) addresses solve both of these issues. This gives mail providers a means to connect to clients who have TLS present and must use it. It also tells them how the certificate they are sending should be validated and what should happen if the TLS connection might not be secure.
These SMTP STS policies define specific DNS records added to mail server domain names. The protocol provides a mechanism for automatically validating these policies and alerting on any contingencies.
Servers can also provide clients with a cache of their SMTP STS policies and specify their lifetime, determine how to deal with man-in-the-middle attackers with bogus policies when the latter try to connect.
The proposed protocol is similar to HSTS, which means preventing HTTPS "downgrade" attacks by caching HTTPS domain name policies in the browser. This, however, assumes that the first connection from this client to the server is made without a break; otherwise fraudulent policies could also be cached.
According to the latest Google data, 83% of the emails sent by Gmail users to other email providers are encrypted, but only 69% of incoming emails from other providers are received through an encrypted channel.
There’s also a lot of inconsistency in email encryption between regions around the world, providers in Asia and Africa are doing much worse than their European and American counterparts.
Original article : http://www.infoworld.com/article/3046850/security/google-microsoft-yahoo-and-others-publish-new-email-security-standard.html
Zy : I call for constructive criticism of the translation, thank you.

You may also like