A new proposal has been submitted to the the Internet Engineering Task Force, a major internet standards organisation. The proposal, which had input from engineers working at Google, Yahoo, Comcast, Microsoft, LinkedIn, and 1&1 Mail & Media Development, will ensure emails are encrypted before they're sent. If the destination doesn't support encryption or their certificate is invalid, the email won't be sent and users will be told why.
Most emails that are sent today are sent in plain text using SMTP. This offers no protection against man-in-the-middle (MITM) attacks, meaning a hacker could easily read your messages. SMTP STARTTLS tried to address the need for encryption but is not widely used and has numerous flaws. In addition, users get no warning when an email they're sending falls back to using plain text.
In the last few years, due to political events, the spotlight has been shone on how insecure our digital communications really are. Email has been a particularly troublesome medium to encrypt. Many people are invested in an email provider's ecosystem such as GMail and don't want to switch to a more secure provider like ProtonMail which provides encryption when sending emails to other ProtonMail users. Other tools such as PGP have a fairly high barrier of use for people new to the technology, making it an inconvenient option for most users.
The submission to the IETF is still in its early stages and will probably take a while before it's implemented in third party email clients regularly used on desktop and mobile devices. It is likely that the proposal will get implemented due to the support it has from the big tech firms.
Source: IETF via The Next Web | Image of a key via Shutterstock
11 Comments - Add comment