Google, Microsoft, Yahoo: We want to stop email snooping by fixing these encryption flaws

Web giants are working on a way to counter the threat of downgrade attacks on STARTTLS.

emailsecurityistock.jpg

Amazon, Facebook, Google, Microsoft, Yahoo, and others are backing the STARTTLS extension for upgrading plain text connections on SMTP to encrypted ones.

Image: iStock

Web giants are collaborating to fix some of the problems that expose STARTTLS to attacks that downgrade encrypted connections to insecure ones.

Amazon, Facebook, Google, Microsoft, Yahoo, and others have all started supporting STARTTLS, an extension that can upgrade plain text connections on the Simple Mail Transfer Protocol (SMTP) to encrypted ones.

Read this

Worried about your email security? In Germany, safe messaging is on the rise

There are a number of new secure options up in the country. But how private are they really?

But according to recent research, contributed to by Google, one of the problems with this "opportunistic encryption" enabled by STARTTLS is that the system "favors failing open", which means that even if something isn't right, the email will still be sent unencrypted, also known as 'in the clear'.

The design is meant to encourage adoption of STARTTLS. However, the research highlights that attackers are easily able to use network devices to force a downgrade to non-encrypted channels.

In Tunisia, for example, the researchers found that 96 percent of email sent from the nation to Gmail is sent in the clear.

Now Google, Yahoo, Comcast, Microsoft, LinkedIn, and 1&1 Mail & Media Development and Technology are seeking to fix this problem in an IETF proposal called SMTP Strict Transport Security.

The other issue it seeks to resolve relates to questions about the authenticity of the Message Transfer Agent (MTA) server.

One of the measures the proposal introduces is the ability to stop delivering a message if it can't be delivered securely, which it proposes through SMTP STS policy records that allow a sending service to check a recipient's policy before sending an email.

"SMTP STS is a mechanism enabling mail service providers to declare their ability to receive TLS-secured connections, to declare particular methods for certificate validation, and to request sending SMTP servers to report upon and/or refuse to deliver messages that cannot be delivered securely," the draft proposal reads.

The IETF draft was submitted by the web firms on Friday and expires on September 19.

More on security

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All