Gmail’s encrypted email warning is coming for emails that are sent and received through unsecured connections. Earlier this month, Google released their Safer Email Transparency report, which reveals the strides made in email encryption between 2013 and 2015. It’s very important to note that these strides specifically relate to the security of email data while it’s in transit between the sender and the recipient and not while it’s at rest in a user’s inbox or sent items…which is arguably where the data is at the highest risk of attack.
For a long time, it’s been recognised that email communication is unsecure and Google’s report uses the popular analogy that compares sending an email to sending a postcard in that the data is open to attack while it’s in transit; just think of a postman being able to read what’s written on a postcard. Traditionally, like many communications, emails have been sent through unsecured connections and Google’s report examines the increase of encrypted emails being sent and received through secure connections to transfer email data.
A secure connection is one that encrypts the email while it is in transit between the sender and recipient and the encryption is implemented using the TLS (Transport Layer Socket) protocol. TLS can only work when it is supported at every point in the journey of the email as it travels from the sender to the recipient. Basically, if the user is communicating through a secure connection the website URL will start with HTTPS, as opposed to HTTP, where the “S” denotes that it’s a secure connection. If you consider the postcard analogy, TLS is similar to putting the postcard in an envelope so the postman can no longer read it. That said, in the same way a postman can compromise an envelope, a TLS connection can be compromised, albeit it’s more complicated, but it is possible with the right resources.
Between 2013 and 2015 the report shows that:
- The number of emails Gmail received from non-Gmail senders that were encrypted in transit increased from 33% to 61%;
- The number of emails that were sent from Gmail to non-Gmail users that were encrypted in transit increased from 60% to 80%; and
- Gmail will soon notify users when they receive an email that has been sent through an unsecured connection.
Email data in your inbox is not protected
Fundamentality these advancements are welcomed, but it’s important to note that if your Gmail account is hacked a TLS connection will not protect your email information as the data is not protected while at rest in your inbox or sent items. Arguably an email is more unsecure than a postcard because when an email is sent a copy is stored in the sent items, the recipient’s inbox and as outlined above, it is at risk while in transit. When considering the security of email data, the lifetime journey of the email must be taken into account and it’s clear TLS is simply not sufficient to protect in the event of an attack on a mailbox. Recent cyber attacks and hacks demonstrate this:
- Sony Pictures – all the emails were hidden behind firewalls, TLS and other security infrastructure and there were still easily available to the hackers;
- The most powerful man in the world, President Obama had his emails at rest compromised earlier this year; and
- Recently, the director of the CIA, John Brennan had his personal email account hacked.
Earlier this year there was controversy stirred up Hillary Clinton’s decision to use a private email server as the data at rest in her inbox was at an increased risk of a cyber attack due to the absence of the appropriate security infrastructure or encryption.
Using TLS alone would not have protected against any of the above attacks. Furthermore, if your email address and password were one of the 5 million stolen last year, then all your email data is potentially available to hackers who can steal your seemingly innocuous information. Most people believe they don’t have anything to hide, but just consider if you’ve ever shared sensitive data such as your credit card details with your partner, that’s potentially at risk of attack. More importantly, if you use Google Apps for your business email, then all your finance information and trade secrets are potentially at risk in your inbox and sent items.
The report does reference PGP (Pretty Good Privacy) as a method to secure the data at rest in a user’s inbox or sent items, but it has been shown many times that this a very difficult solution to use and since it was developed in 1991 the uptake has been largely with highly sophisticated security professionals. Modern day, innovative solutions allow users to secure their email data easily without managing passwords or accessing third party portals. Jumble is secure, easy to install and simple to use for the sender and recipient as it secures email data and attachments with one-click and works across multiple email platforms.
One step closer to complete email security
The findings in this report are very much welcomed, but the question remains, whether you get the notification from Google informing you that you’ve received an email over an unsecured connection or not, how are you going to secure the email data in your inbox?