Gmail Becomes First Major Email Provider To Support MTA-STS, TLS Reporting

Google announced today that Gmail has become the first major email provider to support two new security standards, namely MTA-STS and TLS Reporting. Both are extensions to the Simple Mail Transfer Protocol (SMTP), the protocol through which all emails are sent today. ZDNet reports: The purpose of MTA-STS and TLS Reporting is to help email providers establish cryptographically secure connections between each other, with the main goal of thwarting SMTP man-in-the-middle attacks. The two new standards will prevent this by allowing legitimate email providers to create a secure channel for exchanging emails. For example, SMTP MTA Strict Transport Security (MTA-STS) works by allowing email server admins to set up an MTA-STS policy on their server. This policy allows a legitimate provider to request that external email servers verify the security of a SMTP connections before sending any emails. Minimum requirements, such as forcing external email servers to authenticate with a valid public certificate encrypted with TLS 1.2 or higher, can be enforced, depending on preferences, ensuring that emails sent to a company's server travel through an obligatory and properly encrypted channel -- or they don't arrive at all.

In addition, the TLS Reporting SMTP extension sets up a reporting mechanism through which a legitimate email server can request daily reports from other email servers about the success or failure of emails that have been sent to the legitimate server's domain. Both, when combined, will either prevent or help email server admins identify SMTP man-in-the-middle attacks against their email traffic.

You're not even trying.

[TigerPlish]

Two front-page dupes in the same day.

Aren't your Arabian overlords paying you enough to get decent sleep and / or caffeine?

I know dupes are a time-honored /. tradition, but for fuck's sake, people... y'know, nevermind. Par for the course for 21-st century. No one gives a fuck about quality anymore.

Re:You're not even trying.

[geek]

That's because BeauHD is fucking retarded.

Re:You're not even trying.

It is not just Beau, it's all of them. There is no real reason to keep coming here except harassing people anonymously.

Re:You're not even trying.

It is not just Beau, it's all of them.

Seriously. What's the deal with these retarded, incompetent fuckwads?

Re: You're not even trying.

It's the only reason I come here

Re: You're not even trying.

I didn't see it the first time so I wouldn't know about it without the dupe. I'm not obsessed with the site like some people.

Re: You're not even trying.

Implying they are actual people and not bots. Besides, dupes are clickbait that entice you to reply and still generate pageviews.

Re:You're not even trying.

Beau isn't much older than the site he is editing.

This is just easy money for him. He doesn't care about anything at all unless it boosts his social media presence. Classic "I'm in tech for the money. Why do I need to know computers?"

"Do you not have editors?!"

[UnknownSoldier]

Yeah, yeah, the meme of /. "editors" being useless continues for another year.

Re:"Do you not have editors?!"

[rudy_wayne]

It's not a meme when it's true, and not funny.

Not the first

Office365 has been supporting it for a while.

Duuuuuuuuuupe!!!

[Chas]

And I repeat...

Duuuuuuuuuupe!!!

Re:Duuuuuuuuuupe!!!

[rilles]

I feel like i posted this already, posted this already.

Re:Duuuuuuuuuupe!!!

Like i'm wearing nothing at all, nothing at all, nothing at all

Leave it to google to break the internet

First there was arm twisting to get SSL everywhere and make everyone pay for it, then there was "we're going to mark your site insecure unless you pay up", now it's "we're going to refuse your email if you don't send it via SSL"

I'm sure Intel and AMD love this because every time you make a mandatory change for a stupid reason, CPU requirements double.

We do not need images encrypted (unless they're porn)
We do not need bullshitting on the internet encrypted.

If you're not a bank, store, or government, you should really not even have access to any crypto tools. There's nothing worse than a moron with a tool they don't understand.

Skeptic in me says they have ulterior motives

[110010001000]

Such as cornering the market for harvesting e-mail content to sell us more targeted ads. Just my opinion.

this article is carelessly posted redundancy

get a clue slashdot

get a clue slashdot

premise is wrong

[iggymanz]

man in the middle absolutely not the big problem in "today's email landscape". Company emial servers not getting invalid MX lookups to other business. Spam, malware and phising emails are the problem. Let's eliminate that first before worrying about this chickenshit little problem

Re:premise is wrong

Daily reports don't prevent MiTM anyway

This just in!

Google announces they have killed Gmail Email Provider Support MTA-STS, TLS Reporting without prior notice. Zero fucks given.

Spam is NOT a technical problem

[shanen]

As usual, the technology remains morally neutral, but another technical bandage is NOT a real solution. Just another flavor of "Live and let spam", and the REAL objective of such weak-@ssed technical approaches is to deny liability for any harms done.

The specific aspect of spam that bugs me most is the time wasted. If the google was liable for all the time wasted by their support of spam, I think they'd be bankrupt, even at minimum wage rates. Other people might be more annoyed by the abuse of corporate reputations. Or maybe you're annoyed by the abuse of personal information? Or the entry-level-crime argument, especially for phishing and identity theft?

Anyway, I always want to see the solutions. So what am I doing on Slashdot these years?

My favored solution approach is to go after the spammers' business models. There's even an obvious proof of concept. Where is all your pump-and-dump stock-scam spam? Gone, gone, gone. Because they went after those spammers' business model--though only after several research papers proved that the scam worked so well it was like printing money.

Why aren't such approaches being adopted? My theory is because they'd have to work with us. To really fight the spammers effectively they'd need to collaborate with the potential victims. One part of it is that we are the only ones who know our side of the targeting. It doesn't matter how good the spam looks if I actually know that I've never done business with that bank, eh? But the bigger part is that they don't want to reveal how much of our personal information they are already holding. They don't have to ask me for such categories of information because they probably have all the details already. Probably even the account numbers.

Protects your content

[AHuxley]

all the way to the ads and the NSA.

more interested in tech to secure it from google

[ron_ivi]

There's no-one other than google that spys on my email anyway. I'm more interested in technology to secure emails *from* google spying on them. Wake me up when they offer end-to-end encryption.

What about encrypted email?

[pedz]

What ever happened to folks encrypting their email? I have mine set up but no one else does so its rather useless. I wish that would change.

What they're really saying?

[ebvwfbw]

Sounds like what they're really saying is they're enforcing certificates. No certificate, no e-mail. Certificate that's not signed by a valid CA, no e-mail. If you check out - you can send e-mail to us.

I'm surprised that they're the first ones to do this and so late. They were tough to send mail to even years ago.

"Now, let's talk about the lein being put on your house by the IRS." A woman actually used that with me on the phone recently. I was on to her of course.