Gmail will soon alert you when you receive unencrypted emails. In an attempt to boost security for Gmail users, Google is currently developing a new alert system that will warn you when messages are received from unencrypted sources.
Google’s Email Security Study
The development of the search giant’s new warning system was sparked by a two-year study Google conducted with the help of the University of Illinois and University of Michigan. The study took a close look at email security and how it’s evolved, and showed that the industry is becoming largely reliant on encryption.
But Google found that there are certain groups who are undermining encryption as well as DNS servers, which allows attackers to intercept messages and alter them before the user receives them.
Gmail-to-Gmail communication is always encrypted, but communication between other providers that have not adopted STARTTLS encryption may be impacted.
Users won’t have to do anything to activate this feature. The alert system will start sending warning messages as soon as the feature is rolled out by Google in the next few months.
Unsecured Email Alert is a Step in the Right Direction
Many experts are saying that Gmail’s new unencrypted email alert is like “warning someone that a burglar is at the door.” Sure, it will alert you to the issue, but it won’t necessarily help prevent it. But many other experts are saying that the alert is simply part of a multi-step process and is not a final solution.
The new alert system is expected to be rolled out in the next few months.
Growing Email Security Concerns
Of the 700,000 SMTP servers connected to Alexa’s top 1 million domains, 82% report TLS (transport layer security). Despite this, just 35% are properly configured to allow server authentication. To make matters worse, a DMARC authentication policy is only specified by 1.1% of these domains.
SMTP (Standard Mail Transfer Protocol) does not encrypt emails that are in transit, nor does it authenticate senders. Unprotected communication does exist, and it’s becoming a growing issue. Furthermore, mail servers that do have specific policies for Sender Policy Framework are often overly-broad. All these factors allow for the downgrading of TLS connections and ultimately impact future security.
According to the study, there are over 41,000 SMTP servers in nearly 200 countries that are unable to protect email because of corrupted STARTTLS protocol extensions. In 7 countries, encryption is prevented with over 20% of Gmail messages, and network attackers are rendering these messages in cleartext. As a result, attackers are allowed to observe and intercept emails.
In addition to this, fraudulent email addresses are being provided for Gmail’s SMTP servers via 14,600 domain name system servers in 69 countries. These domain name system servers are publically accessible.
Part of the problem is that SMTP has no way to require mail to be protected by TLS, and even if TLS is used, there is no reliable way for senders to verify that the recipient’s email server is authentic.
Encouraging the Adoption of STARTTLS
In addition to developing its new alert system, Google is also encouraging the adoption of STARTTLS. As more email providers adopt STARTTLS, more emails will be encrypted by default as a result.
Google has stated that STARTTLS will not only prevent snooping, but can also prevent the restriction of the free flow of information.
Although no start date has been announced for the new alert system, Google did note that users will start seeing these warnings in the coming months. Keep an eye on your Gmail inbox for unencrypted email warnings. You may be surprised by the number of unsecure messages you receive.
*Featured Updated – Credit Rvlsoft Dreamstime.com