Google, Microsoft, Yahoo Join Forces To Create New Encrypted Email Protocol

An anonymous reader writes: A group of independent security researchers and major Silicon Valley tech giants have submitted a proposal for a new email protocol called SMTP STS (Strict Transport Security). In theory, this new extension looks like the HSTS (HTTP Strict Transport Security) extension to HTTPS. Much like HSTS, SMTP STS brings message confidentiality and server authenticity to the process of starting an encrypted email communications channel. HSTS works alongside HTTPS to avoid SSL/TLS downgrades and MitM attacks. to avoid SSL/TLS downgrades and MitM attacks. The biggest names on the contributors list include Microsoft, Google, Yahoo, LinkedIn, and Comcast. Last year, Oracle also submitted a similar proposal called DEEP (Deployable Enhanced Email Privacy).

This is important...

[__aaclcg7560]

Yahoo Mail needs to have encrypted email. I haven't changed my password in 20+ years and probably won't for the next 20+ years..

Finally

[Xabraxas]

Email is the backbone of most businesses and it is a horrible insecure mess. Maybe people will finally be able to email secure information easily. Email is easily one of the biggest compliance issues because of how insecure it is.

Re:Don't blame email!

[Dutch+Gun]

The current e-mail protocols were designed at a time when everybody on the internet was expected to play nice. It could use an upgrade for today's significantly more hostile environment. There's really no reason we shouldn't have an upgraded protocol with more security and better authentication built in.

Nothing against the brilliant minds that created some of these early protocols, but they simply couldn't foresee some of the modern security and privacy issues the current internet has to deal with. We've also learned a thing or two about encryption and secure protocols in the last few decades, and upgraded protocols accordingly, right? I think it's a good time to try to introduce an upgraded e-mail standard. Whether it takes hold or not is a question, but with some of the big names apparently behind it, I don't see why not.

BTW, if you're going to reject out of hand a proposal for a new standard because of the names of the companies involved, then you're not thinking things through clearly. This would be an open standard, meaning it's possible for security specialists to vet and declare the protocol safe and secure, just like we do with TLS and other modern protocols. It seems like it would be rather tricky to hide secret backdoors in an open standard.

Re:Don't blame email!

[s.petry]

Analogy time, sorry I could not think up a car analogy..

The current public transit systems were designed at a time when everyone on the system was expected to play nice. All over the world these systems are now dangerous, so must need to be redesigned. You left your wallet sitting on the shelf and someone stole it, it must be the system's fault. You were nekked and someone took photo's of you, must be the system's fault. They blackmailed you with the photo's, has to be the system's fault too. You were on speaker phone and gave the operator all your personal information and someone stole your identity, must be the system's fault. You were just sitting there minding your own business and some guy tried to sell you stuff you didn't want, the goddamn public transit system is bad!

Do you see how poor your logic is? You are blaming a PUBLIC TRANSPORT for how it gets used, but that's not the worst part. You also put things on the transport about it being visible and actions that come from that.

Banks and Governments use armored cars with extremely complex schedules to transport things like money and they don't put things on the public bus system. That is an intelligent and intentional decision that perhaps you need to think more about.