What Gmail's New TLS Icon Really Means: Email Encryption Is Still Broken

An anonymous reader writes: On Safer Internet Day Google announced that Gmail will display warning signs for missing encryption and authentication, a great initiative indeed! Now that it's live we've taken it for a spin, only to find that the warning when composing email is quite slow (for new domains), and that they fail to mention that the non-authenticated TLS encryption that the currently sad state of SMTP encryption leaves us with is really poor, and vulnerable to almost anything (except passive wiretapping). I rather wish they took a stance on how we could move on to proper email encryption.

WTF? End-to-end encryption not even mentioned!?!?

[unrtst]

Use S/MIME, PGP, etc...
All the transport level stuff isn't going to protect your email or ensure it's not modified in transit (or at the destination or origin).

Gmail's help on their new icon:

If you see the red padlock while composing a message
Don’t send confidential material, like tax forms or contracts, to that email address.

Fuck that... if you're sending confidential email without encrypting the content, you're already screwed.
For semi-important information, one should at least digitally sign the content to prove it wasn't modified in transit (ex. this should be used for any contracts, and if it's very sensitive, it should also be encrypted, and not just on the transport layer).

Re:Crypto infrastructure is too frigging hard!

[scdeimos]

If you're thinking STARTTLS then you're encrypted transport system is already broken. Use the proper SMTPS ports. A number of ISPs (including TPGi in Australia) use Cisco PIX appliances (and other) to intercept SMTP tcp/25 traffic from their users. And they force unencrypted connections by not reporting STARTTLS in its EHLO response. Your privacy and security, broken in the name of "SPAM control."