Google has announced plans to tell Gmail users which emails have been sent through an encrypted connection and which have not.
In a recent announcement, Google said that it would issue a warning to a user if they had received a message through a non-encrypted connection.
In a Google blog post, authors Elie Bursztein from the Google Anti-Fraud and Abuse Research division, and Nicolas Lidzborski, a Gmail Security Engineering Lead, said that Google is constantly facing new security challenges and is working partners through the the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) to promote better email security.
Gmail uses Transport Layer Security (TLS) to create an encryption ‘tunnel’ between its own mail servers and everyone else’s. When emails are in the tunnel they can’t be spied upon.
TLS (Transport Layer Security) is a way of encrypting the communications between email servers in the delivery chain, keeping the content of messages secure in transit.
TLS does have some limitations – emails sent using TLS aren’t encrypted before they leave your computer, while they’re being processed by the email servers that pass them along, or after they reach their final server.
But they also can’t be intercepted when they’re travelling between servers, which is a good thing.
The warnings aren’t the only thing Google is working on to improve email security.
Google previously announced that in June 2016 it would start rejecting emails that do not satisfy DMARC (Domain-based Message Authentication, Reporting, and Conformance) specifications.
Essentially DMARC is a system designed to detect spoof emails by allowing companies to determine if an email is authorised and the content of the email has not been modified. This fits neatly into Gmail’s secure thinking, as it will offer a more robust Gmail service with fewer opportunities for tampering or the bad stuff landing inside inboxes.
In particular, Gmail will support the draft Authenticated Received Chain (ARC) protocol to help mailing list operators adapt to the need for strong authentication, with Google, Microsoft and Yahoo those deploying the draft initially.
This permits an organisation who is creating or handling email to indicate their involvement with the handling process, by adding a cryptographically signed header.
The new warnings will alert users to whether or not their messages are legitimate, and give them a heads up if they’ve been censored or altered.
This is one of a series of announcements to improve email security by Google, after it announced last week that its expanding its Safe Browsing Protection to include social engineering protection. If Google determines a page to be bad, Chrome will display a warning which will be similar to the malware and phishing notifications already issued.
All in all, these are very positive moves from Google to offer a more secure service and better security to users.
Google’s offering is about it making efforts to ensure that the bad stuff is filtered out and, if it works and the protocols are deployed elsewhere with Google’s stamp of approval firmly on it, then a more secure email service may be likely.
The warnings will be rolled out to all users over the next couple of months.