Google, Microsoft, Yahoo ... unveil new email protection standard
Engineers from the largest providers of email services have teamed up to improve the security of mail traffic on the Internet.
Invented by engineers from Google, Microsoft, yahoo, Comcast, Linkedin, 1 & 1 Mail & Media Development & Technology “SMTP Strict Transport Transport” protocol is a new mechanism that allows email providers to define policies and rules for establishing encrypted connections.
The new mechanism is a draft that was published at the end of the previous week for consideration as a standard for the Advancement of Internet Engineering Tasks (IETF).
')
Simple Mail Protocol (SMTP), which is used to send messages between mail clients and servers, usually from one provider to another is dated 1982 and does not provide for its own encryption.
For this reason, in 2002, an extension called STARTTLS was added to the protocol, which allows the use of TLS (Transport Layer Security) technology in SMTP connections. Unfortunately, the next decade, it was not widely used, and Email traffic passing between servers, for the most part was not encrypted.
Everything changed after 2013, when, not without the help of former NSA employee Edward Snowden, secret documents were leaked out, highlighting the facts of large-scale surveillance of the Internet by the secret services of the United States, Great Britain and other countries.
In May 2014, Facebook, sending out billions of alerts to users every day, ran a test and found that 58% of these emails were sent over connections encrypted using STARTTLS. In August of the same year, the figure rose to 95 percent.
However, there is a problem that, unlike HTTPS (secure HTTP), STARTTLS allows the use of opportunistic encryption. It does not pass the validation of digital certificates on email servers, even those that can not pass this test are allowed, traffic encryption is still better than nothing.
This means that STARTTLS connections are vulnerable even to man-in-the-middle attacks. when a cracker intercepts traffic, where any certificates of the sender may be present, even self-signed ones, and they can be obtained that will give the opportunity to decrypt the traffic in the future. Moreover, STARTTLS connections are vulnerable to so-called disarming attacks, when encryption can simply be removed.
Provided SMTP with Strict Transport Protection (SMTP STS) addresses address both of these issues. This gives mail providers the ability to connect to clients whose TLS is present and should be used. It also informs the second how the certificate sent should be verified and what should happen if the TLS connection may be unsafe.
These SMTP STS policies define special DNS records added to the domain names of mail servers. The protocol provides a mechanism for the automatic validation of these policies and alerts for any unforeseen situations.
Servers can also provide clients with a cache of their SMTP STS policies and specify their lifespan, determine the order of dealing with attackers using the man-in-the-middle method with fake policies when the latter try to connect.
The proposed protocol is similar to HSTS, which means preventing HTTPS from “downgrade” attacks by caching HTTPS domain name policies in the browser. This, however, assumes that the first connection with this client to the server is made without interruption; otherwise fraudulent politicians may also be cached.
According to the latest Google data, 83% of email messages sent by Gmail users to other email providers are encrypted, but only 69% of incoming emails from other providers are received via an encrypted channel.
There are also many inconsistencies in email encryption between regions around the world, providers in Asia and Africa are much worse off than their European and American counterparts.
Original article: http://www.infoworld.com/article/3046850/security/google-microsoft-yahoo-and-others-publish-new-email-security-standard.html
PS: I call for constructive criticism of the translation, thank you.
Invented by engineers from Google, Microsoft, yahoo, Comcast, Linkedin, 1 & 1 Mail & Media Development & Technology “SMTP Strict Transport Transport” protocol is a new mechanism that allows email providers to define policies and rules for establishing encrypted connections.
The new mechanism is a draft that was published at the end of the previous week for consideration as a standard for the Advancement of Internet Engineering Tasks (IETF).
')
Simple Mail Protocol (SMTP), which is used to send messages between mail clients and servers, usually from one provider to another is dated 1982 and does not provide for its own encryption.
For this reason, in 2002, an extension called STARTTLS was added to the protocol, which allows the use of TLS (Transport Layer Security) technology in SMTP connections. Unfortunately, the next decade, it was not widely used, and Email traffic passing between servers, for the most part was not encrypted.
Everything changed after 2013, when, not without the help of former NSA employee Edward Snowden, secret documents were leaked out, highlighting the facts of large-scale surveillance of the Internet by the secret services of the United States, Great Britain and other countries.
In May 2014, Facebook, sending out billions of alerts to users every day, ran a test and found that 58% of these emails were sent over connections encrypted using STARTTLS. In August of the same year, the figure rose to 95 percent.
However, there is a problem that, unlike HTTPS (secure HTTP), STARTTLS allows the use of opportunistic encryption. It does not pass the validation of digital certificates on email servers, even those that can not pass this test are allowed, traffic encryption is still better than nothing.
This means that STARTTLS connections are vulnerable even to man-in-the-middle attacks. when a cracker intercepts traffic, where any certificates of the sender may be present, even self-signed ones, and they can be obtained that will give the opportunity to decrypt the traffic in the future. Moreover, STARTTLS connections are vulnerable to so-called disarming attacks, when encryption can simply be removed.
Provided SMTP with Strict Transport Protection (SMTP STS) addresses address both of these issues. This gives mail providers the ability to connect to clients whose TLS is present and should be used. It also informs the second how the certificate sent should be verified and what should happen if the TLS connection may be unsafe.
These SMTP STS policies define special DNS records added to the domain names of mail servers. The protocol provides a mechanism for the automatic validation of these policies and alerts for any unforeseen situations.
Servers can also provide clients with a cache of their SMTP STS policies and specify their lifespan, determine the order of dealing with attackers using the man-in-the-middle method with fake policies when the latter try to connect.
The proposed protocol is similar to HSTS, which means preventing HTTPS from “downgrade” attacks by caching HTTPS domain name policies in the browser. This, however, assumes that the first connection with this client to the server is made without interruption; otherwise fraudulent politicians may also be cached.
According to the latest Google data, 83% of email messages sent by Gmail users to other email providers are encrypted, but only 69% of incoming emails from other providers are received via an encrypted channel.
There are also many inconsistencies in email encryption between regions around the world, providers in Asia and Africa are much worse off than their European and American counterparts.
Original article: http://www.infoworld.com/article/3046850/security/google-microsoft-yahoo-and-others-publish-new-email-security-standard.html
PS: I call for constructive criticism of the translation, thank you.
Source: https://habr.com/ru/post/368473/
All Articles