News

Google Kicks Off E-Mail Encryption Security Efforts

• By Kurt Mackie
• 06/04/2014

Google this week outlined a few efforts that may help to ensure greater e-mail security via its Gmail service.

The efforts include a new end-to-end encryption plug-in for the Google Chrome browser, currently at the alpha test stage, as well as a new section in its Transparency Report that tracks e-mail encryption by service providers. For instance, half of the e-mail messages sent to Google's servers from other service providers is not encrypted, according to Google's announcement.

Google is announcing its efforts before June 5's Reset the Net day, which is a day appointed for end users and Internet vendors to adopt or add security solutions to their Internet computing efforts. The idea is to show resistance to widespread U.S. National Security Agency (NSA) spying. Members of Reset the Net include service providers such as Google, Mozilla and Reddit, as well as advocacy organizations such as the Electronic Frontier Foundation and Reform Government Surveillance. The latter group is backed by AOL, Dropbox, Facebook, Google, LinkedIn, Microsoft and Yahoo.

Google's Efforts
Google uses the Transport Layer Security (TLS) protocol to encrypt e-mail across its Gmail service. However, if other service providers aren't using TLS, then this transit encryption doesn't happen, Google explained.

The new end-to-end encryption plug-in for Chrome that Google rolled out for testing this week is called "End-to-End." It's an additional form of encryption on top of TLS. End-to-End is designed to ensure that only the recipient gets the key to open a particular e-mail message. Google's idea is that End-to-End will prove more easy to use than similar existing end-to-end encryption tools, such as PGP and GnuPG.

Google also rolled out a test version of a new 64-bit Chrome browser this week for Windows 7 and Windows 8 users. The new browser can tap Windows 8 security improvements, such as high-entropy randomization, which is designed to reduce the effectiveness of brute-force hacking attempts targeting the address space layout randomization security technique.

A new section in Google's Transparency Report, called "Encryption of email in transit," shows the percentages for various service providers in using the TLS protocol. It tracks whether transit security was used for arriving messages, as well as for the messages that were sent by Google.

Per that report, messages arriving from Microsoft's Hotmail service (now called "Outlook.com") had TLS encryption just 50 percent of the time. Microsoft's score was one of the lowest ones listed in Google's report. However, that trend likely will improve, as Microsoft has indicated that it will be adding TLS to its services by year's end.

"As we've said on the Official Microsoft Blog, we've been working to implement increased encryption across Microsoft products and services and are currently rolling out TLS in Outlook.com," a Microsoft spokesperson said via e-mail.

Microsoft's Efforts
Brad Smith, Microsoft's general counsel and executive vice president for legal and corporate affairs, promised back in December that 2048-bit Perfect Forward Secrecy with would be the default encryption scheme used for Office 365, Microsoft Azure, Outlook.com and OneDrive traffic by the end of this year. Perfect Forward Secrecy delivers keys that last a short time before being updated again, which is used as a means to thwart e-mail hacking attempts by third parties, especially when they may store e-mails for later decryption.

This week, Smith also proposed that the U.S. government should institute various reforms. He suggested ending bulk data collection by the NSA, establishing transparency at the secret U.S. FISA Court, and ending NSA hacks of telecom hubs and datacenters.

Microsoft rolled out an Office 365 Message Encryption service in February, which bundles TLS, Secure Sockets Layer, S/MIME, BitLocker and Microsoft's Information Rights Management service. However, this Message Encryption service is just available for organizations subscribing to Microsoft's E3 and E4 Office 365 plans. It's not available with the free Outlook.com e-mail service.

Microsoft, along with other service providers, has increasingly talked about adding security measures to their solutions in the wake of former NSA contractor Edward Snowden's revelations about global NSA spying. Snowden provided a document indicating that the major service providers themselves, such as Microsoft, Yahoo and Google (among others), had knowingly participated in the NSA's PRISM program. The PRISM program allegedly permits NSA analysts to sample service provider traffic without judicial oversight. Microsoft and other service providers have claimed they just reply to legal processes, but a lawyer for the NSA recently confirmed that service providers understand that their traffic routinely gets tapped in transit.

Since U.S. legal representatives claim to tap service provider traffic in transit via a legal process, it's not clear if encryption will change matters, although Snowden had asserted that end-to-end encryption was an effective deterrent. It's claimed that NSA may be capable of breaking commonly used encryption protocols.