Google plans 'not encrypted' user alert for Gmail

News by Adrian Bridgwater

Inter-server technology worries - STARTTLS stripping forces a user's sending machine to skip encryption

The thorny world of email encryption throws up another spike this month with Google discussing when it will alert users when messages are not encrypted.

According to Google's own Online Security Blog, “To notify our users of potential dangers, we are developing in-product warnings for Gmail users that will display when they receive a message through a non-encrypted connection. These warnings will begin to roll-out in the coming months.”

The development has arisen due to slow adoption of encryption by some email server host locations and what amounts to a perceptible level of hostility towards email encryption in seven specific countries.

As reported on the Register, Google's own research identifies the following countries as ‘should be regarded as dangerous places to send e-mails to': Tunisia, Iraq, Papua New Guinea, Nepal, Kenya, Uganda and Lesotho.

STARTTLS stripping

The above-identified countries are reportedly seeing instances of so-called STARTTLS stripping. This process forces the sender's machine's message to skip encryption and ‘degrade' the message ‘richness' down to plain text format.

More than 20 percent of messages subject to STARTTLS stripping are said to arrive at their host recipient's machines without encryption.

The Electronic Frontier Foundation defines the STARTTLS flag as an essential security and privacy protection used by an email server to request encryption when talking to another server or client.

To understand what this technology means at a deeper level, today spoke to AVAST Software's malware analyst and programmer Jaromír Horejší.

“By stripping STARTTLS, users' email conversations become unencrypted. If an unencrypted email is sent over the Internet, there is a risk the message could be captured and forged by a third party,” said Horejší.

He continued, “I can only speculate why there are servers that do not encrypt emails, one reason may be the lack of knowledge or resources to upgrade, the second is that the lack of encryption could be intentional - to spy on communications. Many people may not consider their emails to be as sensitive as online banking or shopping, but email communications are also valuable for attackers and spies, as email contents can also reveal a lot about a person,” he added.

Actively preventing message encryption

Google has confirmed that it has found regions of the Internet ‘actively preventing message encryption' by tampering with requests to initiate SSL connections. “To mitigate this attack, we are working closely with partners through the industry association M3AAWG to strengthen “opportunistic TLS” using technologies that we pioneered with Chrome to protect websites against interception,” says the firm.

To be clear, Google has confirmed that these threats do not affect Gmail to Gmail communication; they may affect messaging between providers. The company has further confirmed that more than 94 percent of inbound messages to Gmail use some form of authentication.

Eavesdropping at any point

Catalin Cosoi is chief security strategist at Bitdefender. He says that one of the major security implications concerning the lack of email encryption is that these messages are prone to eavesdropping at any point during the communication between the two parties engaged in the conversation. Also, digitally signed emails guarantee that the one sending/receiving the email is indeed a trusted party.

In terms of the seven untrustworthy world states, Cosoi notes that just as the aforementioned study states, “There are geographic regions that try to prevent message encryption by tampering with requests to initiate SSL connections, but such actions may either be politically motivated – laws and legislation - or initiated by malicious actors.”

Bedtime reading

Cosoi adds that while Gmail has always made considerable effort into making Gmail-to-Gmail communication as safe as possible - the addition of this new notification warning users of receiving emails via a non-encrypted connection is a good step in the right direction. Google provides its safer email transparency report for deeper reading on this subject matter.

Speaking to directly, Cosoi says that this Google report underlines the importance of email encryption even between different email providers - and the fact that 57 percent of non-Gmail originating emails are not encrypting is ‘definitely worrying' in his view.

“Since privacy has been playing a pivotal role in our lives, especially since we're constantly connected online and exchanging information in various forms, all email service providers have to start implementing strong security methods. Emails are no longer just a series of bytes sent from sender to receiver, but information that is both private and personal,” added Bitdefender's Cosoi.

Google has yet to confirm a date for the rollout of its non-encrypted connection service, but intends to track this story.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews