Tech giants tackle email security

Mar 22, 2016, 2:12 PM EDT
(Source: Perspecsys Photos,
(Source: Perspecsys Photos,

One of the most popular forms of communication technology to hack is email. No wonder then that a coalition of tech giants is trying to figure out how to ensure more secure communications over email standards. Google, Microsoft, Yahoo, Comcast, LinkedIn and 1&1 Mail & Media Development & Technology have banded together to create the SMTP Strict Transport Security (SMTP STS) mechanism in order to better encrypt email traffic.

The draft, which has been submitted for consideration as an Internet Engineering Task Force (IETF) standard by engineers from those companies, states:

SMTP STS is a mechanism enabling mail service providers to declare their ability to receive TLS-secured connections, to declare particular methods for certificate validation, and to request sending SMTP servers to report upon and/or refuse to deliver messages that cannot be delivered securely.

In short, it would make it easier, simpler, and more efficient for email providers to govern their traffic, attempt to ensure encryption stays up, and enforce policy.

To break down the jargon, we are talking about communications security over computer networks. SMTP is the Simple Mail Transfer Protocol, which is used to transfer email messages between email clients and servers, and from one provider to another. TLS (transport layer security) and SSL (secure sockets layer) are two protocols that secure email, among other forms of web communication. (When SMTP was created over three decades ago, it had no encryption.) TLS and SSL provide ways to encrypt email traffic. STARTTLS is an extension added to SMTP to enable TLS and SSL to encrypt communication — essentially a way to upgrade the insecure email traffic protocol of old. TLS is pretty much the preferred protocol now.

But hackers have figured out how to downgrade email messages flowing through these encrypted channels to non-encrypted ones — something the SMTP STS would aim to fix. As the draft explains:

While such "opportunistic" encryption protocols provide a high barrier against passive man-in-the-middle traffic interception, any attacker who can delete parts of the SMTP session (such as the "250 STARTTLS" response) or who can redirect the entire SMTP session (perhaps by overwriting the resolved MX record of the delivery domain) can perform such a downgrade or interception attack.

The new mechanism aims to elevate the encryption-enforcing power of the email provider. Whether or not it will be successful is another issue altogether. We all know hackers are usually one step ahead.