Microsoft, Google, Yahoo, And Others Propose More Secure Email Standard SMTP Strict Transport
With agencies like the NSA and FBI wanting to peer into our personal communications at will, we have to be proactive about keeping ourselves safe. But what if there's a fault we can't work around and simply have to live with? Unless you're a skilled developer, you have to rely on other to come up with an improved solution. All of us want to stay a step ahead of those who want to intrude on our digital lives, and thankfully, many major companies do too.
The latest example is with an improvement of SMTP, an extremely popular email protocol that lets you interact with your email in real-time, unlike POP3 which will download emails before they're displayed. SMTP has a number of benefits, but also a couple of downsides, such as being at risk for man-in-the-middle type attacks. MITM attacks are when malicious users intercept communications before it reaches its destination, and it can often contain readable information if encryption isn't used.
A couple of major companies, such as Google, Microsoft, and Yahoo, have helped draft an updated protocol called SMTP Strict Transport Security. This would superceed an SMTP addition called STARTTLS which was deployed in 2002 as a way to make up for an absolute lack of encryption over SMTP. That was at a time when it was much more difficult to issue MITM attacks; today, skilled attackers have a massive toolbox at their disposal.
Unfortunately, STARTTLS was not widely used, and today, we can easily understand why that's a major problem. InfoWorld notes that in 2014, Facebook found that 58% of the emails it sent to its users (which amounts to billions each day) passed through a STARTTLS connection. Later that same year, mere months following the Edward Snowden whistle-blowing, that number skyrocketed to 95%.
That sounds great, but as it happens, STARTTLS has some major flaws. One is that it can fall prey to opportunistic encryption, where email could be delivered without adhering to normal security protocols, such as verifying the certificate. Thus, a successor was needed, and that's SMTP STS.
The basic mechanics behind SMTP STS is that it reads policies that are defined through a special DNS entry related to the mail server. In the event of an issue, an error would be supplied to the client. A bonus feature: these policies can be cached for a certain amount of time, so as to prevent attackers from somehow injecting their own policies. This implementation overall is similar to HTTPS Strict Transport Security, or HSTS for short, which is used for many webpages.
SMTP STS is still in draft form, so we might not see it deployed for quite some time. However, considering widespread need for improved security virtually everywhere, we can't help but hope that SMTP STS is on a fast track to wide-scale implementation.