2016/04/06 by Willem Stam.
Gmail introduces emails with lock
From now on computer users can see if their emails that go through Gmail are safe by Gmail lock. If so, the email has a special marking. For the time being, this service is only available in the United States. So there is lots of work to do for the companies that send huge amounts of mail. Their main challenge is to keep everything tightly waterproof, otherwise they run the risk of having their mails disappearing in the trash can.
Security specialist Bruce Schneier compared sending an email in 1995 to sending a postcard: “It’s like a postcard that anyone can read along the way”. Twenty years later we can rule out this comparison; this new technology makes reading along the way more difficult.
In its blog, Google recently announced that incoming and outgoing emails will be marked with a red lock icon. This Gmail lock will show the receiver and sender if the email is secure. In fact, this is the ’email ‘ variant of the secure websites that use https that we already know. It is now more difficult for hackers to read emails and to capture them.
What does it look like?
The picture below shows the new lock that is being used by GMAIL webmail. Google will check if a secure connection was used for both outgoing and incoming mails. An open lock indicates that the transfer was not safe and Google will give a security warning.
In addition to the security warning, Google is also introducing a ‘question mark ‘ if the authenticity of the incoming message is questionable. In other words if there are doubts that the sender really is who he claims to be. It will be displayed like this:
This means that there will be a question mark on the picture of the sender if the mail cannot be authenticated. A question mark means that the email’s origin cannot be ascertained and it may be a phishing mail.
Be aware that the attached screen dumps are from an American GMAIL Web client. This service is not yet available for European GMAIL Web clients. It appears that Google has opted for a gradual roll-out.
How does this protection work and is the email really safe?
The security is based on a TLS (Transport Layer Security) security standard. This security standard has been around for some years and more and more senders (ESPs) and receivers (Google) support this standard. Google is now making it visible through its Gmail webclient.
The use of TLS does not give a full 100 percent guarantee that your mail is safe. TLS does not cover the complete email transfer between sender and receiver, but only covers a portion of the process: namely between the mail servers, ‘Email encryption in transit’. While standards such as S/MIME and OpenPGP do cover the complete email transfer. TLS is a definite improvement!
Over 80% of the ISPs support TLS.
In the illustration below, Google is clearly showing us how far we have come with our email security. At present, 60 percent of all emails are sent with TLS and supported by around 80% of the ISPs (Hotmail, Yahoo, Gmail etc.). The smaller ISPs in particular are lagging behind a bit (e.g. the French free.fr). 94% of all mails supports some form of SPF/DKIM authentication.
Email security in the future; prelude to DMARC?
The new security features are a good step in preventing abuse of the email channel. Both receivers and senders have the ball in their courts.
It is the recipient of emails that will really have to take action on the information they receive: if you suspect anything at all, throw the email away immediately.
Senders must ensure that by sending bulk emails TLS is applied and the emails are authenticated by SPF and/or DKIM.
Finally, a word on the authenticity of emails. Google’s new measures will also clear the way for further embracing DMARC, an extra layer of security (on top of the listed SPF and DKIM) that prevents phishing and spoofing (sending emails under a false name).
DMARC gives the ‘visible’ shipping domain a security layer. In concrete terms, this means that the domain names cannot be abused and criminals don’t stand a chance. ‘Under the radar’, DMARC is already being used by the larger ISPs (e.g. Gmail, Hotmail, YAHOO).
Chances are that later this year, in addition to a TLS lock, a DMARC notification in Gmail will also be visible. All in all, this is a clear indication that phishing sensitive brands (banks, large retailers and government institutions) should definitely prioritise the implementation of DMARC.
If you would like to know more about how we can help you, just send us a message via our contact page.