Google says that in spite of its encryption efforts, 40 - 50% of emails sent between Gmail and other email providers still aren’t encrypted.
When emails are sent unencrypted they can be read by any bad actors or governments with access to the networks they travel through.
Gmail uses Transport Layer Security (TLS) to create an encryption 'tunnel' between its own mail servers and everyone else's. When emails are in the tunnel they can't be spied upon.
But hey, a tunnel has two ends. Or, as Brandon Long, Tech Lead of Google's Gmail Delivery Team, puts it:
The important thing is that both sides of an email exchange need to support encryption for it to work; Gmail can't do it alone.
To help people understand whether their email is actually protected with encryption, Google on Tuesday launched a new section in its Transparency Report that shows which email providers are doing what with encryption.
Many providers have switched on encryption, while others have pledged to do so, Long said. As they do, we'll see an increasing amount of email that's shielded from interception.
Google said that fewer than half of the messages it swapped with Microsoft's Hotmail servers were encrypted.
In December, as part of its pledged anti-NSA-level encryption, Microsoft said it's working with email providers to make sure messages remain encrypted.
But encryption between mail servers is only part of the story when it comes to keeping emails secure from prying eyes.
There are two kinds of encryption used with email; the encryption 'tunnels' that protect emails on the move and end-to-end encryption which protects emails both in transit and at rest, and which can only be decrypted by the intended recipient.
On Tuesday, Google acknowledged that end-to-end encryption is great in theory but tricky to implement.
Encrypting traffic between mail servers is much more widely used because it puts the tricky, technical implementation into the hands of system administrators.
So, alongside its efforts to increase encryption between mail servers, Google is also trying to grease the wheels of end-to-end encryption with a prototype Chrome extension called, appropriately enough, End-to-End.
Right now the extension is only available as code so that the computer security community can help to test it. Google says once it's ready for general use it'll appear in the Google Chrome store.
The Electronic Frontier Foundation (EFF) is taking credit for lighting the fires that have sparked much of the encryption advances in recent months.
As Technology Projects Director Peter Eckersley said in a post on Tuesday, the group has been working for the past few years to promote the universal use of encryption for internet protocols.
In November, the EFF also launched its Encrypt the Web Scorecard, which, in addition to web encryption, added a second focus on securing transmissions between mailservers.
That was an important element in protecting against non-targeted dragnet surveillance, Eckersley wrote, but there's still work to be done:
More mail operators need to implement STARTTLS, and some of those that already support STARTTLS need to upgrade their servers to support modern ciphers and forward secrecy.
But however slowly, however painfully, it sounds like we just might be getting somewhere.
That's good news for those of us who are wary of snooping - whether it's by the government, crooks or garden-variety creeps.
And, if you want to know what else you could be doing to improve your privacy by using and demanding more encryption then you're in good company.
Today the internet is engaging in world-wide campaign aimed at doing exactly that; it's called Reset The Net.
No comments:
Post a Comment