Google has announced plans to tell Gmail users which emails have been sent through an encrypted connection and which have not.
In a recent announcement, Google said that it would issue a warning to a user if they had received a message through a non-encrypted connection.
In a Google blog post, authors Elie Bursztein from the Google Anti-Fraud and Abuse Research division, and Nicolas Lidzborski, a Gmail Security Engineering Lead, said that Google is constantly facing new security challenges and is working partners through the the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) to promote better email security.
Gmail uses Transport Layer Security (TLS) to create an encryption ‘tunnel’ between its own mail servers and everyone else’s. When emails are in the tunnel they can’t be spied upon.
TLS (Transport Layer Security) is a way of encrypting the communications between email servers in the delivery chain, keeping the content of messages secure in transit.
TLS does have some limitations – emails sent using TLS aren’t encrypted before they leave your computer, while they’re being processed by the email servers that pass them along, or after they reach their final server.
But they also can’t be intercepted when they’re travelling between servers, which is a good thing.
The warnings aren’t the only thing Google is working on to improve email security.
Google previously announced that in June 2016 it would start rejecting emails that do not satisfy DMARC (Domain-based Message Authentication, Reporting, and Conformance) specifications.
Essentially DMARC is a system designed to detect spoof emails by allowing companies to determine if an email is authorised and the content of the email has not been modified. This fits neatly into Gmail’s secure thinking, as it will offer a more robust Gmail service with fewer opportunities for tampering or the bad stuff landing inside inboxes.
In particular, Gmail will support the draft Authenticated Received Chain (ARC) protocol to help mailing list operators adapt to the need for strong authentication, with Google, Microsoft and Yahoo those deploying the draft initially.
This permits an organisation who is creating or handling email to indicate their involvement with the handling process, by adding a cryptographically signed header.
The new warnings will alert users to whether or not their messages are legitimate, and give them a heads up if they’ve been censored or altered.
This is one of a series of announcements to improve email security by Google, after it announced last week that its expanding its Safe Browsing Protection to include social engineering protection. If Google determines a page to be bad, Chrome will display a warning which will be similar to the malware and phishing notifications already issued.
All in all, these are very positive moves from Google to offer a more secure service and better security to users.
Google’s offering is about it making efforts to ensure that the bad stuff is filtered out and, if it works and the protocols are deployed elsewhere with Google’s stamp of approval firmly on it, then a more secure email service may be likely.
The warnings will be rolled out to all users over the next couple of months.
9 comments on “Gmail: “Warning! That email was not sent through an encrypted connection.””
This is an excellent article. Thankyou for all your detailed information.
I’d like to comment here……….as don’t know where else to do so, on the new Naked Security Website.
Waking up in the middle of the night due to the fact there’s a heatwave here and there’s no aircon here at the moment……….I went online and half sleep was jolted awake with what looked like a suspicious website………..I quickly closed it and investigated. Wide awake then I realised Naked Security has a new look.
Even though I’m an elderly citizen I love the sleek new presentation……….so well done for those who designed this……….When scrolling through I was pleased to see that Paul Ducklins Sophos Blue hat is still there……..there are some things that shouldn’t be messed with!
Thanks, glad you love it! We hope Duck never loses his blue hat either 🙂
I might *cycle* the hats. I have red, orange, yellow, green, blue…and you probably guessed violet as the sixth one. I started with blue…you probably guessed why from the Sophos logo 😉
What? No indigo? Roy G. Biv* would be devastated!
*Mnemonic phrase used in the US to teach the colors of the spectrum
“Richard Of York Gave Battle In Vain” was what I learned. With the widespread acceptance that the rainbow has six colours (because most people wouldn’t be able to tell you the difference between blue and indigo, and indigo and violet), I now use the adverb: “Richard Of York Gave Battle Vainly.”
Great look on new site! Probably a personal issue, but pages do not automatically resize when accessed from gmail web interface, but OK from link in Outlook. Chrome Version 47.0.2526.58 beta (64-bit) on OS X 10.10.5
No auto-resizing on latest Firefox (42, 32bit version) under Win 7 SP1 x64 either. I need to scroll a lot more now with the new layout
I have mixed feelings about the revamp. Like others no auto re-size so scrolling a lot! Plus I don’t like the massive graphics in your email now; much preferred the smaller squares with brief description to the side. I can’t read it in my preview pane anymore, I have to open the email. Boo!
Hi, Thanks for the feedback. We are fixing the images in the newsletter so they aren’t so big. You should have a more easy-to-read one today!