Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google, Microsoft, Yahoo Join Forces To Create New Encrypted Email Protocol

Posted by msmash on from the exciting-email dept.

An anonymous reader writes: A group of independent security researchers and major Silicon Valley tech giants have submitted a proposal for a new email protocol called SMTP STS (Strict Transport Security). In theory, this new extension looks like the HSTS (HTTP Strict Transport Security) extension to HTTPS. Much like HSTS, SMTP STS brings message confidentiality and server authenticity to the process of starting an encrypted email communications channel. HSTS works alongside HTTPS to avoid SSL/TLS downgrades and MitM attacks. to avoid SSL/TLS downgrades and MitM attacks. The biggest names on the contributors list include Microsoft, Google, Yahoo, LinkedIn, and Comcast. Last year, Oracle also submitted a similar proposal called DEEP (Deployable Enhanced Email Privacy).

5 of 123 comments (clear)

  1. "Transport" != "end-to-end" by QuietLagoon · · Score: 4, Informative

    The emails are still in plain text inside the email servers en route, unless the email sender and recipient use end-to-end encryption.

    1. Re:"Transport" != "end-to-end" by fph+il+quozientatore · · Score: 4, Informative

      The emails are still in plain text inside the email servers en route, unless the email sender and recipient use end-to-end encryption.

      This. We need one-click client-side e-mail encryption, usable by everyone. Like PGP but without the key management complications and the scary mojibake added to the e-mail body.

      --
      My first program:

      Hell Segmentation fault

  2. Correction by Anonymous Coward · · Score: 2, Informative

    I like that mods actually took their time to edit a description for once, but there's a mistake.

    "The new protocol also works with HTTPS" should be "works like HSTS".

    The original text from the recent submissions page was technically accurate.

    But yeah, since Microsoft, Yahoo and Google joined forces, this almost guarantees the standard will be approved. Once you get the three major email providers to agree on something, it's almost as done.

  3. Re: Storage by Anonymous Coward · · Score: 0, Informative

    Yes it should. In this case it is completely useless if it doesn't support encryped storage. But these companies love to invent useless stuff as long as they can fool the masses so it's no surprise. They don't have privacy or security in mind. Their primary focus is market-grabbing and ads.

  4. PGP, since 1991. key servers. If people cared by raymorris · · Score: 4, Informative

    > How do you send email to random people encrypted?
    > Your solutions work for internal email, but not external.

    This problem was solved in 1991, in terms of the technical implementation and protocol. The "problem" is that few people care about receiving encrypted email, so they don't publish a key to use for sending them email. Maybe if email clients made it super-easy more people would do it.

    Here's a brief description of how PGP/GPG works. Wherever I publish my email address, I also publish my public key, which I generated. To send me an email, you can either use my address and my public key, or you can let your email client retrieve the key for you, from a key server. Since the email is encrypted with my public key, it can only be decrypted by my private key.

    Personally, I publish my public key on the "Contact Us" page of my web site and on the public key servers.

    The protocol works fine. The problems are that email clients don't make it super-easy for you to generate and publish a key, or to send PGP email using the recipient's key. That's a UI problem, not a protocol problem.