Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Gmail's New TLS Icon Really Means: Email Encryption Is Still Broken

Posted by timothy on from the ask-me-about-my-spam-collection dept.

An anonymous reader writes: On Safer Internet Day Google announced that Gmail will display warning signs for missing encryption and authentication, a great initiative indeed! Now that it's live we've taken it for a spin, only to find that the warning when composing email is quite slow (for new domains), and that they fail to mention that the non-authenticated TLS encryption that the currently sad state of SMTP encryption leaves us with is really poor, and vulnerable to almost anything (except passive wiretapping). I rather wish they took a stance on how we could move on to proper email encryption.

3 of 129 comments (clear)

  1. Re:gmail is what has broken email. by DarkOx · · Score: 4, Interesting

    Well you have to look at the whole story though.

    Consider all the vulnerabilities that have been found in MTAs, MDAs, and clients over the years. Then consider all the trojans and spam with tracking stuffs, etc. Google filters almost all of the later quite successfully, as to the former for many people and organizations it replaces all those things and so far the infrastructure has been well maintained and resistant to breaches (that we know of). Its also pretty carefully monitored. I suspect the ancient Sendmail install on that old SGI box at your ISP, could have sat compromised for weeks or months before anyone would have noticed in the years before GMAIL.

    When you look at it from all sides its not so clear cut.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  2. You are doing it wrong by gweihir · · Score: 3, Interesting

    You are calling for link-encryption. That is obvious nonsense for email. Proper email encryption is end-to-end and does not trust the transport at all.

    Incidentally, this problem has been solved since 1991 with PGP.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. Re:You are naming it wrong (PGP) by Anonymous Coward · · Score: 2, Interesting

    The reason people don't use PGP is because of the name Pretty Good Privacy makes it sound amateurish (that and the initialism PGP is too similar to PHP). Maybe they could get more users if they called it Good Privacy or Very Good Privacy, but I know there's a local-maximum trust in there somewhere because I think trust would go down if they called it Excellent Privacy or Perfect Privacy.

    IMO, more people would consider using it if it used an animal name or some name from mythology.