According to new e-mail security page that Google has posted up, around 50% of mail sent to Gmail is encrypted using TLS and a meager 35% of messages sent from Gmail to other services are secure. This is a pretty sad state when you consider that TLS is not that hard to configure or enable. In some cases it is simple laziness and others it is due to a lack of properly trained staff. As a former IT contractor I know that many organizations did not even understand what TLS is or how it worked. In some cases they thought that if they turned it on they would not get email from anyone that did not use it.
In service providers the lack of TLS can be as simple as not wanting to deal with the hassles of maintaining the proper certificates for the mass amounts of traffic their systems send. Providing that service can be an extra cost and has some fairly significant administrative overhead (which also costs money). I know I have personally asked about this when researching some providers and they simply say “we do not offer that”.
Now, Google’s efforts to make people more aware of security are great, but in the end using TLS is not the end of the story. Sure, it helps to secure messages in transit, but it does not protect them moving from the client to the transport server or protect them in the mailstore. Here are two places that require some additional work. Even using Microsoft’s Outlook anywhere (formerly called RPC over HTTPS) or an https connection does not guarantee security. If a client or browser is compromised someone can grab any information they want in transit from the client to the server. Likewise if someone gains access to the mailstore servers they can read the email messages pretty easily.
These last two are fairly common tactics of the NSA and hackers looking to grab personal information. It is here that things need to change in order to make sure that messages are secure. We also have to remember that if the company we trust with our email messages holds the private encryption keys for our data and/or connections they can be compelled to hand that over with one of those nasty little national security letters. It is that last item that makes Google’s new initiative little more than a token gesture. The current laws and system allow for almost any privacy efforts to be bypassed with relative ease and the people in power are working to increase that capability continually.
So we applaud Google’s efforts to make people more aware of the lack of security in personal communication and their release of their new end-to-end encryption plug-in’s source code. However, even if the community finds all of the bugs and holes in it (unlikely) there are still ways that the government can get at the information. There really needs to be a much broader change in policy at the corporate and government level before individual privacy over any digital channel can even remotely be considered safe.
Tell us what you think in our Forum