Gmail Becomes First Major Email Provider To Support MTA-STS and TLS Reporting

Google announced this week that Gmail has become the first major email provider to support two new security standards, namely MTA-STS and TLS Reporting. From a report: Both are extensions to the Simple Mail Transfer Protocol (SMTP), the protocol through which all emails are sent today. The purpose of MTA-STS and TLS Reporting is to help email providers establish cryptographically secure connections between each other, with the main goal of twarthing SMTP man-in-the-middle attacks. SMTP man-in-the-middle attacks are a major problem for today's email landscape, where rogue email server operators can intercept, read, and modify the contents of people's emails. The two new standards will prevent this by allowing legitimate email providers to create a secure channel for exchanging emails.

Skeptic in me says they have ulterior motives

[JoeyRox]

Such as cornering the market for harvesting e-mail content to sell us more targeted ads.

Re:Skeptic in me says they have ulterior motives

[s0lar]

Skeptic in me says they have ulterior motives

I am sure they do... yet this feature is not visible to end-user really. Well, they will probably add a little line item or an icon to indicate that the inbound delivery was secured. Yet that has little to do with the email's content which, by definition, is either transferred from GMail's storage or transferred into it.

Re:Skeptic in me says they have ulterior motives

[AmiMoJo]

They stopped doing that in 2017. Aside from anything else there were lawsuits over non-Gmail users having their messages scanned when Gmail users received them. The advertising on Gmail, assuming you don't block it, is now based on data from other Google services you use.

Re:Nothing to see here

[caseih]

Yes, server to server. My postfix server has been attempting to StartTLS on every outgoing port 25 connection to other mail servers. Many servers (but not all) will speak TLS on port 25.

Re:Nothing to see here

[Justus]

MTA-STS is analogous to HSTS (HTTP Strict Transport Security). It's a way for MTAs to express that a connection _must_ be encrypted, so if your server connects and attempts a StartTLS that fails, you can distinguish between "doesn't support TLS" and "something fishy is going on." In the latter case the server can avoid sending mail through a possibly-compromised connection.

TLS Reporting is an extension whereby MTA operators can get reports from other MTAs on which mails succeeded or failed. That is, it lets you see how many mails weren't sent due to MTA-STS failures, which could give you an indication that someone is attempting to attack your users.

Any non-end-to-end encryption is crap

[ffkom]

Why would I want to secure only segments of the information transfer when this means there are still plenty of points where adversaries can tamper with my email? The better solution has been around for decades already, it's called end-to-end encryption, and implemented for example by GPG.

Re:Any non-end-to-end encryption is crap

[AmiMoJo]

Thanks to Snowden we know that the NSA likes to collect and attack email in transit between servers, and doubtless it's popular with other spy agencies. This largely fixes those vulnerabilities.

Consider that it's much riskier for the NSA to infiltrate data centres to get at these emails now. The risk of detection is much higher, compared to simply sniffing them off the wire on some anonymous backbone router somewhere.