Google applauded for encrypting more Gmail messages

Google has published research claiming that around 50 percent of messages sent and received on the Gmail platform are not encrypted.

Google applauded for encrypting more Gmail messages
Google applauded for encrypting more Gmail messages

Delving into the figures, however, reveals that the encrypted volume has actually risen from 33 percent last December to 58 percent today - something that the Electronic Frontier Foundation (EFF) has welcomed.

The figures form the backdrop to a new `Safer Email' section in Google's rolling transparency report, and comes as a new Chrome browser extension - `End-to-End' - enters alpha testing. As the name implies, the Chrome extension encrypts all data flowing into and out of the browser environment.

According to Google, 65 percent of all outgoing Gmail messages are now encrypted, whilst 50 percent of received messages from other services were encrypted.

Brandon Long, technical lead with Gmail, says that, when you send a letter to your friend, you hope he/she will be the only person who reads it.

"But a lot could happen to that letter on its way from you to her, and prying eyes might try to take a look. That's why we send important messages in sealed envelopes, rather than on postcards," he explained.

"For people looking for even stronger email security, end-to-end encryption is a good option—but it's been hard to use. So today we're making available the source code for End-to-End, a Chrome extension. It's currently in testing, and once it's ready for general use it will make this technology easier for those who choose to use it," he said.

SCMagazineUK.com notes that End-to-End is based on OpenPGP and a new JavaScript-based crypto-library. According to Stephan Somogyi, Google's product manager for security and privacy, this level of encryption will probably only be used for very sensitive messages or by those who need added protection.

But, he says, Google hopes that the End-To-End extension will make it quicker and easier for people to get that extra layer of security should they need it.

The EFF has welcomed Google's moves in the encryption space. Peter Eckersley, the foundation's technology projects director, however, says in his online analysis, that there is also more work to do.

"More mail operators need to implement STARTTLS, and some of those that already support STARTTLS need to upgrade their servers to support modern ciphers and forward secrecy," he explained.

Paul Stone, a principal consultant with Context Information Security, agrees. He says that email security is an area that has been severely neglected, so it's good to see Google bringing attention to it.

"Looking at the data, it's a shame to see that email from many UK retailers and banks isn't sent over a secure connection. Most companies use SSL on their websites to protect sensitive customer data, so the same level of security should be applied to email too," he said.

Dr Eric Cole, a SANS faculty fellow and course author, however, warned that - when using the internet - many people forget that it is truly an open, untrusted network.

"Any traffic and any information (including email) can be intercepted or read," he said, adding that there are two important items to remember when using encryption.  First, there is no silver bullet when it comes to security. Yes, encryption will help but only if it is part of an integrated security solution," he said,

"The second important thing to remember with encryption is that it stops anyone from reading any messages. Many people think encryption stops an adversary from reading your information; however, encryption also stops an organisation from reading any information going over a network. Encryption is important but all aspects of it must be thought about looking at both the pros and cons of using it within an organisation," he added.

Over at Check Point, Keith Bird, the security firm's MD, welcomed the rise in encrypted email adoption as a very positive step forward in data security.

"This is because it will help create wider awareness of the need to protect sensitive data wherever it resides. I'd hope it would have a knock-on effect in encouraging companies that hold large amounts of customer information to encrypt that data, to protect it against the types of breaches that recently affected eBay and other retailers," he explained.