Tech giants unite to create encrypted email transfer

A handful of the world's biggest technology companies have joined forces to shore up the security of email services globally through a proposed new open standard.

The majority of internet email is sent via the ageing simple mail transport protocol (SMTP) which forwards messages in plain text by default, leaving them open to easy interception.

To remedy this, the STARTTLS protocol was developed as an extension to SMTP and other plain text protocols - such as the internet message access protocol (IMAP) for email retrieval - to encrypt and protect communications with transport layer security (TLS).

But STARTTLS failed to be widely adopted due to the ease at which an attacker can adopt a man-in-the-middle position, and tell the sending server that encryption is unavailable - known as a STRIPTLS attack - which causes messages to be sent in plain text.

Microsoft, Google, LinkedIn, Yahoo and US telco Comcast have therefore now joined forces to put forward a new proposal for the safer transfer of email.

The proposal, submitted to the international Internet Engineering Task Force over the weekend, proposes a mechanism - dubbed SMTP strict transport security (STS) - that would allow sending SMTP servers to refuse to send messages that cannot be delivered securely.

Mail service providers would be able to declare their ability to receive TLS-secured connections as well as certain methods for certificate validation. Emails would not be sent until it can be ascertained a destination supports encryption and has a valid certificate.

The tech giants suggested future discussions on the proposed transfer technology could centre on the deployment of public-key pinning, ciper and TLS version restrictions, and a "receiver-enforced" system where receiving mail servers only accept mail sent via TLS.

Last year Oracle and Network Heretics separately proposed to the IETF a way to enforce TLS encryption between email programs and the servers they send and receive messages from and to.

Known as deployable enhanced email privacy (DEEP), the open standard seeks to make TLS implicit with protocols such as SMTP, IMAPv4 and POP3 as used by email clients.