Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google, Microsoft, Yahoo Join Forces To Create New Encrypted Email Protocol

Posted by msmash on from the exciting-email dept.

An anonymous reader writes: A group of independent security researchers and major Silicon Valley tech giants have submitted a proposal for a new email protocol called SMTP STS (Strict Transport Security). In theory, this new extension looks like the HSTS (HTTP Strict Transport Security) extension to HTTPS. Much like HSTS, SMTP STS brings message confidentiality and server authenticity to the process of starting an encrypted email communications channel. HSTS works alongside HTTPS to avoid SSL/TLS downgrades and MitM attacks. to avoid SSL/TLS downgrades and MitM attacks. The biggest names on the contributors list include Microsoft, Google, Yahoo, LinkedIn, and Comcast. Last year, Oracle also submitted a similar proposal called DEEP (Deployable Enhanced Email Privacy).

13 of 123 comments (clear)

  1. Storage by Anonymous Coward · · Score: 2, Insightful

    If the messages are not stored encrypted, what's the point? Private email sitting on Google/Yahoo servers is a much larger attack surface than email in transit.

    1. Re:Storage by Junta · · Score: 5, Insightful

      The storage of content and transmission of content are separate concerns. A standard protocol to cover transmission of messages should not be concerned with the storage of it.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    2. Re:Storage by MobileTatsu-NJG · · Score: 4, Insightful

      Yeah, I was going to say: If Google actually did do their job correctly they wouldn't be able to monetize GMail.

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    3. Re: Storage by Z00L00K · · Score: 4, Insightful

      Encryption of messages is not prevented by this technology, it's two completely different uses.
        - SMTP STS is used for validating the server channel to prevent spoofed servers. It doesn't care about the message content.
        - Encrypted messages already exists and encrypts the message body, but that will require that both sender and receiver have exchanged some information. However these messages don't care about the channel used.

      For best result you need both.

      But I also see problems here:
        - the SMTP STS requires certificates provided by a Certificate Authority (CA), and lately it has been revealed that not every CA is especially good at handling this.
        - It will also require a good implementation of revocation of certificates.
        - The management of the certificates may be costly, both the certificate and the management of it.

      Overall it will drive cost, and that may be what kills this idea.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    4. Re: Storage by Junta · · Score: 3, Insightful

      The transport doesn't support *any* concept of storage. It doesn't have to, that's why it's called transport.

      Now you could say you should be using S/MIME or similar as it's more comprehensive end-to-end and secure transport is inadequate, but this is strictly a transport standard.

      It's also a standard that can do something to mitigate risk to those who do not avail themselves of S/MIME.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    5. Re: Storage by Rashkae · · Score: 3, Insightful

      That's the thing.. it's a solved problem,, has been a solved problem for over a decade. If only the big cloud players (MS, Google, Yahoo) got off their behiends and implemented encrypted e-mail that's relatively easy for people to use, that would be a *great* step in the problems being addressed here. Instead, they have to start re-inventing the whole transport protocol, while leaving the goldmine of data storage in the same sad 1980's shape.

  2. Will it come complete with... by evolutionary · · Score: 1, Insightful

    A back door for the email providers and easy access for FBI/CIA?

    --
    "Imagination is more important than knowledge" - Einstein
  3. Don't blame email! by s.petry · · Score: 4, Insightful

    I get really tired of this, because it's completely backward and wrong. Email is fine, and it does exactly what it was intended to do. Route messages from source to destination. People like you want email to be something different, but always arbitrary because there is no solution which works to encrypt out of the box which can not be tampered with. You want secure, that's fine but don't make an insecure protocol for mail routing the answer.

    Use email for email. Attach encrypted files using what ever format you want, and you have control of the encryption. Stop demanding that generic "email" does it all for you, because if you trust any of the companies listed in TFA to give you bullet proof security, you are a tool.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:Don't blame email! by Dutch+Gun · · Score: 4, Insightful

      You don't like SMTP don't use it! Go make your own protocol

      /facepalm. That's what we're discussing here.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  4. Re:Solved problem? by Junta · · Score: 3, Insightful

    It could be considered a protocol to negotiate use of TLS more securely.

    S/MIME and OpenPGP would be more thorough solution to the problem.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  5. Re:It's about time by Junta · · Score: 3, Insightful

    GPG and/or S/MIME would address your concern, but this proposal would not.

    This is basically using TLS more properly in SMTP, which in and of itself is good, but far from adequate.

    Here is the tricky thing about TLS: it works well in theory for user-service interactions (e.g. I care I'm talking to 'onlinebanking.bigbank.com'), but not as well for messaging (I'm not conversing with a server, whose identity is hidden away in the headers, I'm conversing with whatever is in the 'From/To/CC/BCC' fields, and those are the folks I care about authenticating)

    --
    XML is like violence. If it doesn't solve the problem, use more.
  6. Re:How about we create a new standard WITHOUT TABL by The-Ixian · · Score: 3, Insightful

    I feel bad for you.

    e-mail marketing is barely 1 step above straight spam.

    If I had it my way, e-mail would be text only or implement some form of markdown

    If you want to have fancy formatting, throw up a web page and go nuts, then send a non-shortened link by e-mail if you absolutely must.

    --
    My eyes reflect the stars and a smile lights up my face.
  7. Re:PGP, since 1991. key servers. If people cared by FlyHelicopters · · Score: 2, Insightful

    This problem was solved in 1991, in terms of the technical implementation and protocol.

    You are confusing the technical solution with the practical end-user solution.

    The "problem" is that few people care about receiving encrypted email, so they don't publish a key to use for sending them email. Maybe if email clients made it super-easy more people would do it.

    That will never, EVER happen. If people have to "publish" a key manually, then you can just forget it.

    Personally, I publish my public key on the "Contact Us" page of my web site and on the public key servers.

    See above. You completely and totally miss the point. If I have to track down a web site, or Google+ page, or Facebook page, and manually copy or use a key from there, you might as well toss the whole idea in the bin.

    If it isn't automatic, then it doesn't exist for 95%+ of computer users.