Google wants to add 'not encrypted' warnings to Gmail
Bad actors named and shamed
Google is getting ready to alert Gmail users when messages are received in the clear instead of via encrypted transport, in response both to slow adoption of encryption by some hosts, and apparent hostility to encryption in some countries.
Seven countries – Tunisia, Iraq, Papua New Guinea, Nepal, Kenya, Uganda and Lesotho – should be regarded as dangerous places to send emails, according to Google's research.
In all of those cases, “STARTTLS stripping” – forcing the sending machine to skip encryption and degrade the communication to plain text – results in more than 20 per cent of messages arriving without protection.
Most of them are in the twenties, from Lesotho (20.25 per cent) to Iraq (25.61 per cent), but Tunisia is a standout: it degrades e-mail communications back to clear text in 96.13 per cent of cases.
As readers will remember, the world is just catching up with the idea that e-mail security is lagging far behind our use of encryption for other services.
Google's multi-year project, published by the Association for Computing Machinery, comes to a similar conclusion: there's a long tail of servers managed that aren't keeping up with the need to encrypt.
And there's a lot such machines out there, the research finds: “best practices have yet to reach widespread adoption in a long tail of over 700,000 SMTP servers, of which only 35 per cent successfully configure encryption, and 1.1 per cent specify a DMARC authentication policy”, the research states.
“This security patchwork— paired with SMTP policies that favor failing open to allow gradual deployment— exposes users to attackers who downgrade TLS connections in favour of cleartext and who falsify MX (mail exchanger) records to reroute messages.”
The MX record is a DNS entry indicating where to send messages for a particular target domain. The worst offender in terms of fake MX records was Slovakia, followed by Romania, Bulgaria, India, Israel, Switzerland, Poland and Ukraine.
“Whether malicious or well-intentioned, STARTTLS stripping and falsified DNS records highlight the weakness inherent in the failopen nature and lack of authentication of the STARTTLS protocol.”
There's good news in the research, however: between December 2013 and October 2015, the proportion of encrypted emails Gmail received from non-Gmail addresses nearly doubled, from 33 per cent to 61 per cent, and the proportion of outgoing Gmails using TLS rose from 60 per cent to 80 per cent.
More than 94 per cent of inbound messages to Gmail use some form of authentication, the post notes.