Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail's Encryption Warning Spurs 25% Increase In Encrypted Inbound Emails (theverge.com)

Posted by BeauHD on from the publicly-shamed dept.

An anonymous reader quotes a report from The Verge: Google's efforts to keep users safe might be forcing other email providers to make better security decisions. In February, the company started flagging unencrypted emails, allowing Gmail users to know whether they're sending emails to, or receiving emails from, providers that don't support TLS encryption. Since then, the amount of inbound mail sent over an encrypted connection to Gmail users has increased by 25 percent, Google explained in a blog post released today. The majority of the uptick likely comes from providers updating their clients so they can avoid getting flagged by Google, the company said in a comment to The Verge. Without in-transit encryption, which Google provides by default, emails could potentially be read by attackers because their body and data are sent in plain text. Google is also going to send Gmail users a full-page warning notice if they click on a potentially malicious link. In addition, they are going to increase warnings about state-sponsored attackers with a full-page alert about how to secure accounts through two-factor authentication and the use of a security key.

57 comments

  1. Encrypting the Link is only part of the story by Anonymous Coward · · Score: 1

    Complaining about lack of TLS on the connection is about encrypting the link, not the email. Certainly, email in transit really must be encrypted. But the email itself still sits in the clear on the ISP or email provider's server unless otherwise noted. That's still a problem.

    1. Re:Encrypting the Link is only part of the story by ledow · · Score: 3, Informative

      If the ISP or email provider host the domain that your email is at, is it really that much of a problem?

      Sure end-to-end is nice, but these guys can accept, redirect and intercept your email in a million other ways anyway.

      Personal domains, forwarded emails, etc. - that's another matter entirely. But Google can read anything@gmail.com if they want, etc.

    2. Re:Encrypting the Link is only part of the story by Anonymous Coward · · Score: 0

      Complaining about lack of TLS on the connection is about encrypting the link, not the email. Certainly, email in transit really must be encrypted. But the email itself still sits in the clear on the ISP or email provider's server unless otherwise noted. That's still a problem.

      And it will stay that way because the control is by the email server/client, not the user itself. Not until you are able to make your public key easily available to others can you truly get full encrypted emails to you.

    3. Re:Encrypting the Link is only part of the story by Blue+Stone · · Score: 4, Interesting

      In some ways I think of this push by Google to encrypt mail as being like that thing they do in the Israeli prisons, where they have a dummy microphone in the cell that's easily discoverable and avoidable and then they hide the real mics where people go to avoid the dummy one - and pick up all the juicy intel, undetected.

      This form of encryption provides the illusion of security; it's like: 'go back to sleep, everything's fine, your government can't snoop on you with it's giant, multi-tentacled panopticon'. All the while, the NSA and GCHQ are rather happy and completely undeterred.

      I can't decide who Google is trying to help with this.

      --
      Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
    4. Re:Encrypting the Link is only part of the story by Obfuscant · · Score: 1
      I was going to point out the difference between encrypting transport versus encrypting email, but I was beat by the first post.

      If the ISP or email provider host the domain that your email is at, is it really that much of a problem?

      When that "ISP" is in the business of indexing content and selling data to third parties, I think it is reasonable to believe there is a problem.

      As for "a full page notice", just how will this be sent, and just how is Google intercepting web browsing going to a non-Google site? Why, they'll have to insert a redirect through their servers into any links embedded in your email. They'll have to modify the content of your email messages to do that. You can't intercept a web request to "a.bad.site.com" in an email unless the link is modified to come back through google.com first. All my browser knows is that it is a link in a web page, not that it is a special gmail web page with email on it.

    5. Re:Encrypting the Link is only part of the story by shawn2772 · · Score: 2

      Complaining about lack of TLS on the connection is about encrypting the link, not the email. Certainly, email in transit really must be encrypted. But the email itself still sits in the clear on the ISP or email provider's server unless otherwise noted. That's still a problem.

      Clearly, email in clear at the ISP is vulnerable if the ISP is hacked, and to employees of the ISP, etc. But unencrypted e-mail in transit is vulnerable to many people at many locations all along the connection path. End-to-end encryption is better, than encryption only on the wire but it's much better than plaintext on the wire.

    6. Re:Encrypting the Link is only part of the story by unrtst · · Score: 2

      But Google can read anything@gmail.com if they want, etc.

      Not true if one utilizes end to end encryption (pgp/gpg, s/mime, etc).

    7. Re:Encrypting the Link is only part of the story by Obfuscant · · Score: 2

      Not true if one utilizes end to end encryption (pgp/gpg, s/mime, etc).

      Using gmail, one cannot encrypt the header. This includes the source and destination addresses, as well as the trace information.

      One can tell a lot from a traffic analysis, even if you can't read the specific words in a messages.

    8. Re:Encrypting the Link is only part of the story by SuricouRaven · · Score: 3, Insightful

      With encryption: Google and the US government spy on you.
      Without encryption: Google, the US government, Russia, China, half of Europe, Canada, the script kiddie who hacked your router and an organised crime gang spy on you.

    9. Re:Encrypting the Link is only part of the story by suutar · · Score: 1

      is this not true of all email? How can it be delivered without being able to read the header?

    10. Re:Encrypting the Link is only part of the story by QuestorTapes · · Score: 1

      If the ISP or email provider host the domain that your email is at, is it really that much of a problem?

      Actually, it is. The NSA tapped Google's communication lines with the help of Big Mother Bell (AT&T), and the NSA and anyone they decided to let see the data could read everyone's emails.
      http://www.theguardian.com/wor...

      Due process should matter to everyone.

      Warrant? We don't need no stinking Warrant!

    11. Re:Encrypting the Link is only part of the story by Dynedain · · Score: 4, Insightful

      I think it's exactly the opposite. For so long PGP and other security features were email were ignored because you can't communicate with users on email providers that don't enable it. Same thing with various spam controls - we've always bitched that we can't turn them on because the big vendors ignore it.

      This is a GOOD thing by Google. By turning it on, and making it blatantly obvious to their users, they force the industry as a whole into better practices. They've done the same thing with HTTPS (now mixed-mode errors invalidate your "lock" status) and also spam control (reverse DNS lookups, etc). They are using their position of influence to encourage improvements across the industry and should be applauded.

      It's going to take multiple steps to get to the final goal of end-to-end encryption. You can't jump to the end overnight. Give credit where credit is due.

      --
      I'm out of my mind right now, but feel free to leave a message.....
    12. Re:Encrypting the Link is only part of the story by JesseMcDonald · · Score: 1

      The headers do need to indicate the message's destination, unless you simply want to broadcast to everyone and leave the recipient to identify their own messages by whether or not they have the matching decryption key (which obviously doesn't scale). The destination doesn't need to be complete—for example, the full e-mail address could be encrypted so that only the destination server can see it, while everyone else only needs to know the server name. More importantly, the cleartext headers of a GPG-encrypted e-mail also include the source address, subject line, and list of which servers the message has passed through, among other data, none of which are essential to delivering the message.

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
    13. Re:Encrypting the Link is only part of the story by shawn2772 · · Score: 4, Interesting

      I can't decide who Google is trying to help with this.

      You're overthinking this. Google is trying to do exactly what it says it's trying to do: Make Gmail more secure for Gmail users. After investing a lot in making its own servers use encryption for every communication, inside and outside, it really bugs Google engineers that they then have to send plaintext to other mail servers whose administrators don't care enough about security to install SSMTP. Then someone realized that Google has an avenue to pressure other mail providers to step up and that Google can highlight the effort it's put into security at the same time. Win/win: Google makes the world better and looks good doing it.

      Why are you looking for some deeper reasons, when the obvious and plainly-stated ones perfectly explain the move?

      (Disclosure: I'm a Google security engineer, though I'm speaking only for myself. If you want an official company position, look at press releases or contact PR.)

    14. Re:Encrypting the Link is only part of the story by Anonymous Coward · · Score: 0

      A big problem right now is hackers from China, Russia, etc intercepting plain text emails.

    15. Re:Encrypting the Link is only part of the story by bickerdyke · · Score: 1

      In some ways I think of this push by Google to encrypt mail as being like that thing they do in the Israeli prisons, where they have a dummy microphone in the cell that's easily discoverable and avoidable and then they hide the real mics where people go to avoid the dummy one - and pick up all the juicy intel, undetected.

      Aren't microphones cheap enough that it would be rather stupid to make the obvious microphone a dummy instead of a working one also?

      This form of encryption provides the illusion of security; it's like: 'go back to sleep, everything's fine, your government can't snoop on you with it's giant, multi-tentacled panopticon'. All the while, the NSA and GCHQ are rather happy and completely undeterred.

      I can't decide who Google is trying to help with this.

      They never said that anything would be ok, but they are pointing out some easily avoidable mistakes.

      --
      bickerdyke
    16. Re:Encrypting the Link is only part of the story by Anonymous Coward · · Score: 0

      and they do

    17. Re:Encrypting the Link is only part of the story by fraxinus-tree · · Score: 2

      Well, almost. With encryption, Google spy on you. Everyone else, including US.gov, have to ask Google for that or at very least make Google know about that, and have no way to know the quality of the result they get.

    18. Re:Encrypting the Link is only part of the story by Anonymous Coward · · Score: 0

      Also, without end-to-end encryption, Google can spy on you.
      With end-to-end encryption, spam filters don't work.

    19. Re:Encrypting the Link is only part of the story by Anonymous Coward · · Score: 0

      I'm so sick of you shilling for Google here. If you were at least critical but, no, they're always "making the world better" in your eyes.

      Fuck off.

      Enabling encryption for SMTP is good, but presenting a padlock to the user is obviously stupid, as it gives the user a false sense of privacy and security.

    20. Re:Encrypting the Link is only part of the story by unrtst · · Score: 1

      You're reading out of context. There was nothing about what I said that implied that email headers were encrypted via S/MIME, GPG, or PGP.
      If one is using email + one of those, the clear text headers will be available to every SMTP server along the way, and possibly sent clear text in transit depending on various TLS deployments/negotiations/etc. None of that changes the fact that, if you encrypt all your email via S/MIME or GPG or PGP, and you use gmail, google will be unable to read the content of the message body (which could, in turn, contain another RFC822 mime message, complete with additional headers, but fully encrypted). I was correcting the mistaken statement that ledow made. No need to poo-poo on S/MIME simply because it doesn't do everything; know its purpose and limitations and leverage it as another layer of security where needed/possible.

    21. Re:Encrypting the Link is only part of the story by shawn2772 · · Score: 1

      I'm so sick of you shilling for Google here. If you were at least critical but, no, they're always "making the world better" in your eyes.

      If you think I'm never critical, either you've missed a lot of my posts or (more likely) you're suffering from a case of confirmation bias.

    22. Re:Encrypting the Link is only part of the story by fph+il+quozientatore · · Score: 1

      Wat? Spam filters work just fine even with encryption, if they are implemented client-side. Thunderbird has a spam filter; spamassassin is an open-source spam filter, and neither of them need to talk to Google servers.

      --
      My first program:

      Hell Segmentation fault

    23. Re:Encrypting the Link is only part of the story by suutar · · Score: 1

      Ah, I see. Good points, thanks for the clarification :)

    24. Re:Encrypting the Link is only part of the story by Anonymous Coward · · Score: 0

      I still think you're biased, but my post was crass. Sorry.

    25. Re:Encrypting the Link is only part of the story by sydbarrett74 · · Score: 1

      You're making the perfect the enemy of the good. Yes, of course the Five Eyes can still spy on you if they're so determined -- but it raises the bar for the unemployed computer science graduate sitting in an Internet cafe in Nigeria or Moscow. Ubiquitous encryption is a rising tide that lifts all boats.

      --
      'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
  2. Huh? by Anonymous Coward · · Score: 0

    In February, the company started flagging unencrypted emails

    What the hell are they talking about? ALL emails are unencrypted.

  3. That's funny by Anonymous Coward · · Score: 0

    Because the least secure email is GMail. They hand over everything to the government on a silver plate.

  4. The mail security divide by Blaskowicz · · Score: 1

    I'm more and more wary of email, because your free provider can simply read your email, or allow the US government or your national government to read it. Is the metadata sold to the highest bidder too? I don't know.

    So, don't get your mail from an internet giant. But then you have to be able to pay for it. For those that would be able to pay, they have to be willing. For those who would be willing, they have to even be aware that paid-for email exists.

    What can we do?
    A friend has free community email service. They stopped accepting new accounts about 15 years ago.
    Also, the internet giant mail provider has replaced their slow Web GUI with an even slower Web GUI. Have some other, cleaner free mail elsewhere too but I don't trust it respecting privacy either. Or perhaps they sell data to the US government, but not to companies.
    Email seems old and busted anyway. Should it go the way of the dodo like USENET and FTP did? Where's the free replacement?

    1. Re:The mail security divide by Anonymous Coward · · Score: 0

      Twitter and Facebook are the new emails.

    2. Re: The mail security divide by mrchaotica · · Score: 1

      The fact that you can host it yourself is what makes email superior to the centralized alternatives, despite its faults.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    3. Re: The mail security divide by SuricouRaven · · Score: 1

      You can, but it's tricky. Receiving works, but sending doesn't from any residential IP - you get blocked by anti-spam services.

    4. Re:The mail security divide by Anonymous Coward · · Score: 0

      Where's the free replacement?

      https://www.protonmail.com/

    5. Re: The mail security divide by Blaskowicz · · Score: 1

      Might be good on the smallest configuration of rented VM you can get - I refrain from saying the cheapest host you can get, since not being blocked by anti-spam will be a concern too.

    6. Re: The mail security divide by Anonymous Coward · · Score: 0

      I've been providing a free encrypted messaging alternative to email since '09. All messages and files are AES256 encrypted in-transit and at-rest. It is similar in concept to the old Lavabit. I make $0 from it, so I'm not trolling for new users. But since you seem to be looking, check ThreadThat. Matt S.

    7. Re:The mail security divide by Coren22 · · Score: 1

      How does paying for email make any difference? The government can subpoena paid for email providers just as easily as free.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  5. You my good madam are an idiotess by Anonymous Coward · · Score: 0

    Nothing you say is of any import, other than self-. You look in mirrors all day. The world for you is a dildo for sure.

  6. Re: Of course the Republican rulers... by Anonymous Coward · · Score: 0

    It seems that only dishonest people can become rich and since only dishonest people are Republicans then of course there is a ton of overlap.

  7. Re: Of course the Republican rulers... by Anonymous Coward · · Score: 0

    That's just how they be.

  8. Re: Of course the Republican rulers... by Anonymous Coward · · Score: 0

    And then whine about it.

  9. Re: Of course the Republican rulers... by Anonymous Coward · · Score: 0

    And they just keep becoming more Republican.

  10. Re: Of course the Republican rulers... by Anonymous Coward · · Score: 0

    Obvious troll is obvious.

    Those Republicans hate us.

  11. Re: Of course the Republican rulers... by Anonymous Coward · · Score: 0

    This. That is why they be like that.

  12. Re: Of course the Republican rulers... by Anonymous Coward · · Score: 0

    This. They even whine when their rape victims fight back.

  13. Re: Of course the Republican rulers... by Anonymous Coward · · Score: 0

    This. Page has done nothing to try to slow down the rapes. He doesn't care about women.

  14. perfect vs better security by Anonymous Coward · · Score: 0

    If the ISP or email provider host the domain that your email is at, is it really that much of a problem?

    Sure end-to-end is nice, but these guys can accept, redirect and intercept your email in a million other ways anyway.

    Personal domains, forwarded emails, etc. - that's another matter entirely. But Google can read anything@gmail.com if they want, etc.

    Perfect is the enemy of the good.

    Yes, S/MIME and/or PGP/GPG may be the best way, but having STARTTLS helps a lot more people in one fell swoop than having every get a cert/key and teaching them about the technology.

  15. Apple? by U2xhc2hkb3QgU3Vja3M · · Score: 1

    How do you enable this encryption thingy in Apple's "Mail" program?

    1. Re:Apple? by Anonymous Coward · · Score: 0

      This specific thing is server-to-server TLS, nothing to do with a client.

      But Mail can use TLS to talk to both IMAP and SMTP server.
      And if you include a personal mail certificate and you know other with mail certificates, it will also end-to-end encrypt your mails using s/mime.

      And yes all of this will also work with iOS version of Mail.

  16. Clarify please: just MUA to MTA or MTA to MTA too? by Anonymous Coward · · Score: 0

    Does Google warn users if their email client doesn't use encryption (MUA to MTA) or does it also warn if some other mail provider delivers mail to Google without transport encryption (MTA to MTA) or doesn't accept encrypted mail transport from Google?

  17. Newsflash: Users are easily Maniputlated! by Anonymous Coward · · Score: 0

    Amazing. Google discovers that users behavior can be easily manipulated.

    But you can trust them, they would NEVER do anything like that with their search results, or advertisements, or videos, or...

  18. End-to-End encryption Chrome extion - when ? by ei4anb · · Score: 1
    I downloaded and built there End-to-End Chrome extension. I reported a few bugs and they were quickly fixed. Then I waited for Google to finish the development/testing and announce it to The World, but two years later there is only silence on that. No news since 2014 https://security.googleblog.co...

    To paraphrase XKCD, I have been posting my public key for 37 years now but nobody has ever asked me for it or used it for anything as far as I can tell.

    1. Re:End-to-End encryption Chrome extion - when ? by M00nd0g · · Score: 1

      Agreed. The entire PKI and email system needs to be re-thought, however, going down that road starts conversations about TPM, secure O/Ss (with government backdoors)... Maybe a better way to approach this is to have a secure email system then.. oh, that's right, *cough* lavabit *cough*. However, I do agree with you. The system need to be baked into tools used every day, browsers, email agents, phones ... and now we are back at the first point. sigh...

      --
      Due to funds shortage, no sigs will be issued today. Thankyou.
  19. Re:Clarify please: just MUA to MTA or MTA to MTA t by Coren22 · · Score: 1

    https://www.google.com/search?...

    Gmail doesn't allow non encrypted client access. The default configuration is IMAPS with SMTPS. Both of these are TLS encrypted.

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?