But are your Emails secure?
We are using email services for decades, but the underlying 1980s transport protocol used to send emails, Simple Mail Transfer Protocol (SMTP), is ancient and lacks the ability to secure your email communication entirely.
However, to overcome this problem, SMTP STARTTLS was invented in 2002 as a way to upgrade an insecure connection to a secure connection using TLS. But, STARTTLS was susceptible to man-in-the-middle attacks and encryption downgrades.
But worry not. A new security feature is on its way!!!
SMTP STS: An Effort to Make Email More Secure
Top email providers, namely Google, Microsoft, Yahoo!, Comcast, LinkedIn, and 1&1 Mail & Media Development, have joined forces to develop a new email standard that makes sure the emails you send are going through an encrypted channel and cannot be sniffed.
Dubbed SMTP Strict Transport Security (SMTP STS), the new security standard will change the way your emails make their way to your inbox.
SMTP STS has been designed to enhance the email communication security. This new proposal has been submitted to the Internet Engineering Task Force (IETF) on Friday.
The primary goal of SMTP STS is to prevent Man-in-the-Middle (MitM) attacks that have compromised past efforts like STARTTLS at making SMTP a more secure protocol.
Why StartTLS Can't ensure Email Security?
The biggest problem with STARTTLS is:
STARTTLS is vulnerable to man-in-the-middle (MITM) and encryption downgrade attacks, which is why it does not guarantee either message confidentiality or proof of server authenticity.
Forget what the server replies, as the point here to be noted is that the above handshaking process occurs in the unencrypted state.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
So what if, an attacker intercept this unencrypted communication and alter the handshaking process to trick the client into believing that the server doesn't support encrypted communication?
Answer — A Successful Man-in-the-Middle attack to perform Encryption Downgrade attack.
The user would ultimately end up in a non-SSL communication, even if it is available from the legit server due to this downgrade attack.
How SMTP STS improves Email Security over StartTLS?
SMTP Strict Transport Security (SMTP STS) will work alongside STARTTLS to strengthen SMTP standard and to avoid encryption downgrade and Man-in-the-Middle attacks.
SMTP STS protects against an active hacker who wishes to intercept or modify emails between hosts that support STARTTLS.
SMTP STS relies on certificate validation via either TLS identity checking or DANE TLSA
The new email security standard will check if recipient supports SMTP STS and has valid and up-to-date encryption certificate.
If everything goes well, it allows your message to go through. Otherwise, it will stop the email from sending and will notify you of the reason.
So in short, SMTP STS is an attempt to improve where STARTTLS failed. And since the standard is only a draft proposal right now, you need to wait for it before it becomes a reality.
The Internet Engineering Task Force has six months to consider the possibilities of this new proposal, because the motion will expire on September 19, 2016.
Meanwhile, you should also try a Swiss-based, ProtonMail, a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data safe.