Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google, Microsoft, Yahoo Join Forces To Create New Encrypted Email Protocol

Posted by msmash on from the exciting-email dept.

An anonymous reader writes: A group of independent security researchers and major Silicon Valley tech giants have submitted a proposal for a new email protocol called SMTP STS (Strict Transport Security). In theory, this new extension looks like the HSTS (HTTP Strict Transport Security) extension to HTTPS. Much like HSTS, SMTP STS brings message confidentiality and server authenticity to the process of starting an encrypted email communications channel. HSTS works alongside HTTPS to avoid SSL/TLS downgrades and MitM attacks. to avoid SSL/TLS downgrades and MitM attacks. The biggest names on the contributors list include Microsoft, Google, Yahoo, LinkedIn, and Comcast. Last year, Oracle also submitted a similar proposal called DEEP (Deployable Enhanced Email Privacy).

3 of 123 comments (clear)

  1. This is important... by __aaclcg7560 · · Score: 3, Interesting

    Yahoo Mail needs to have encrypted email. I haven't changed my password in 20+ years and probably won't for the next 20+ years..

  2. Finally by Xabraxas · · Score: 3, Interesting

    Email is the backbone of most businesses and it is a horrible insecure mess. Maybe people will finally be able to email secure information easily. Email is easily one of the biggest compliance issues because of how insecure it is.

    --
    Time makes more converts than reason
  3. Re:Don't blame email! by Dutch+Gun · · Score: 4, Interesting

    The current e-mail protocols were designed at a time when everybody on the internet was expected to play nice. It could use an upgrade for today's significantly more hostile environment. There's really no reason we shouldn't have an upgraded protocol with more security and better authentication built in.

    Nothing against the brilliant minds that created some of these early protocols, but they simply couldn't foresee some of the modern security and privacy issues the current internet has to deal with. We've also learned a thing or two about encryption and secure protocols in the last few decades, and upgraded protocols accordingly, right? I think it's a good time to try to introduce an upgraded e-mail standard. Whether it takes hold or not is a question, but with some of the big names apparently behind it, I don't see why not.

    BTW, if you're going to reject out of hand a proposal for a new standard because of the names of the companies involved, then you're not thinking things through clearly. This would be an open standard, meaning it's possible for security specialists to vet and declare the protocol safe and secure, just like we do with TLS and other modern protocols. It seems like it would be rather tricky to hide secret backdoors in an open standard.

    --
    Irony: Agile development has too much intertia to be abandoned now.