Google has a message for the world: Insecure, unencrypted email just isn’t cool any more.
On Tuesday, the tech giant released code for an early alpha version of an “end-to-end” Chrome encryption plugin—basically, software that will let users send encoded messages to one another using any Web-based email provider. It also added some interesting new data to its “Safer Email” transparency report—namely, the fact that about half of email received by its Gmail service arrives with no encryption that would protect it from prying eyes on the Internet. Its report also calls out the worst offenders among other major email providers—among them, cable giant Comcast.
That dig apparently got a rise out of Comcast, which piped up to announce that it, too, has plans to protect emails from unauthorized snooping. The company said it will offer more information next week in Brussels at a meeting of the Messaging, Malware and Mobile Anti-Abuse Working Group.
There’s a chance this is just a wacky coincidence, but that seems unlikely, considering Comcast’s encryption will focus specifically on messages moving between Comcast servers and Gmail. Now, we’re bracing for the throngs of “me-too” announcements hailing a greater push toward more secure email delivery and transmission.
At least, we hope.
Google Outs The Encryption-Challenged
Users might be fearful about hackers—or the NSA—digging into servers and looting email storage. Certainly spying or government surveillance concerns in a post-Edward Snowden world is shining a light on secure practices. But that’s only part of the picture. Google’s report focuses on the security of email as it transits the big, bad Internet.
See also: Understanding Encryption—That’s The Key
There’s great potential risk for messages being intercepted as they travel to your inbox. Encryption essentially scrambles them, ensuring that, even if outside parties get their hands on messages, they wouldn’t be able to read them without specific decryption codes. So to keep email shielded from outsiders, both sending and receiving services have to use secure encryption protocols.
Google, which started encrypting Gmail by default in 2010, uses Transport Layer Security, or TLS, to safeguard messages in transit. It’s a pretty standard type of encryption. Problem is, not all that many other email services are using it, which means Gmail has to send and receive email from those providers in an insecure fashion.
Roughly 69 percent of emails sent by Gmail are encrypted in transit, which means those recipients’ email services also support it. But inbound messages to Gmail are much less secure. Only half are encrypted during delivery.
In its report, Google broke out “the percentage of email encrypted for the top domains in terms of volume of email to and from Gmail” worldwide:
Most all of the providers shown in the right-hand chart, for messages from Gmail received from other email services, scored 90% or better for encryption. The exceptions were Russian email provider Mail.ru and Comcast. (Me.com is Apple’s now-defunct, pre-iCloud domain.)
Overall, it appears that the major free email providers—like AOL, Hotmail, and Yahoo and MSN/Hotmail—are paying attention to encryption. So are social networks like Facebook, Twitter and LinkedIn. Most Internet service providers, however, have some work to do.
Less than 1% of Gmails sent to Comcast recipients are encrypted. Likewise Verizon and Cox, though certain searches for AT&T fared a bit better.
A Trend In The Making
Comcast—the country’s largest cable and broadband services provider, now poised to grow even larger—should waste no time locking down this consumer service. And it isn’t. Encryption will be rolling out in the next few weeks, though it’s not clear whether it intends to encrypt both incoming and outgoing messages. That will likely be the case, though, as though anything less than that hardly seems worth it.
As for other providers, with Google’s veritable outting of this security hole could prompt others to step up and encrypt.
They will, if Christopher Soghoian has anything to do with it. The American Civil Liberties Union’s resident technologist told the Wall Street Journal that “Google’s naming. We can shame … and we will.” As soon as the report went public, he started hitting up Internet providers, asking if they’d secure their services.
It’s important to note, however, that this type of in-transit encryption doesn’t prevent the provider on either end from rifling through your email, since your messages get decoded upon receipt. (Otherwise, your correspondent wouldn’t be able to read them, either.) Gmail, in fact, makes a business of automatically scanning email and selling ads against certain keywords in your messages, although most users have long since gotten used to that.
So it’s sort of intriguing that Google also released some early code for a new Chrome browser add-on that would improve email security further—in fact, to such a point that it could both frustrate government requests for email data and undercut Gmail’s ad business.
The “End-to-End” extension is intended to make the “Pretty Good Privacy” (or PGP) encryption standard super simple to use. “End-to-End” refers to data that remains encrypted until the recipient decrypts it. In this case, it would apply to messages sent from your browser and decrypted in the recipient’s browser.
Google released the early code so developers can get some hands-on time to work with it and create their own Chrome plugins. Theoretically, if it works as described, even Google wouldn’t be able to break the encryption.
Feature image courtesy of Flickr user Quinn Dombrowski