SMTP Strict Transport Security Coming Soon to Gmail, Other Webmail Providers

SMTP Strict Transport Security is coming to major webmail providers this year, a Google engineer said at RSA Conference

Gmail users can expect the introduction of SMTP Strict Transport Security to the email service some time this year, bringing a measure of security similar to certificate pinning to one of the world’s biggest webmail services.

Elie Bursztein, the head of Google’s anti-abuse research team, said at RSA Conference that SMTP STS will be a major impediment to man-in-the-middle attacks that rely on rogue certificates that are likely forged, stolen or otherwise untrusted. Google, Microsoft, Yahoo and Comcast are expected to adopt the standard this year, a draft of which was submitted to the IETF in March 2016.

Certificate pinning, or public key pinning, relies on a list of trusted public key hashes assigned to a particular connection and rejecting any other. For now, connections only verify that a TLS certificate is present.

Bursztein’s announcement came during a talk on Thursday during which he illustrated how different threats to corporate and personal Gmail accounts such as spam, phishing, malware, impersonation and interception attacks vary by industry and geography. He also shared how new defense mechanisms implemented in the past 24 months have made Gmail sturdier.

“We are stopping hundreds of billions of attacks every week,” Burszstein said. “Every minute, we have to stop more than 10 million attacks with 99.9 percent precision. The way we are doing this is reacting quickly to emerging threats.”

Burszstein told a strong story with regard to Gmail’s security against impersonation attacks, noting that 80 percent of inbound messages from other providers to Gmail are now encrypted, while 87 percent of outbound messages from Gmail to other providers are encrypted. These numbers are up from 65 percent and 50 percent respectively as of June 2014.

Burszstein said that a decision to add visual cues to users that certain Gmail messages may be untrusted helped spike adoption of encryption. One such measure was a UI change to display a broken lock in the inbox indicating that the email about to be sent is being sent in the clear.

“This tells you the email you are about to send is not encrypted and could be intercepted in transit,” he said. “This helps the user make a better choice by highlighting this to the user.”

After implementing the lock, he said Google recorded a huge bump in inbound encrypted traffic it was receiving.

“Increasing encryption visibility helped speed up adoption,” Burszstein said.

On the spam front, Burszstein said Google relies on deep learning to extract more meaning out of data for high precision and learning. He said Gmail took a page from Google’s photo tagging capabilities which use deep learning to understand the context of an image and automate tagging of other photos.

“It’s very good at finding spam too,” he said, citing Gmail’s 99.9 percent accuracy rate detecting spam, 3.5 percent of which he attributes to deep learning.

Burszstein also advocated for organizations to commit to enhancing DMARC, DKIM and SPF rollouts, each of which have very different roles in securing emails from assuring messages are signed with a public key, to allowing companies to specify which servers it will trust, to what to do with unsigned messages, whether to toss them into a spam folder or reject them outright.

He also pointed to visual cues on the authentication front such as Gmail’s assigning of icons to trusted users while throwing up a red question mark for unauthenticated senders. This too was a driver in increasing adoption of all three protections, reducing the number of unauthenticated messages in 2014 (5.8 percent) to last year (1.8 percent).

Burszstein shared some data on the effectiveness of training in combatting phishing threats and how Google’s visibility into malicious traffic via email can spot trends, for example, as to how certain ransomware families spread differently (Office documents, macros, or JavaScript droppers) according to detection rates and submissions to VirusTotal.

Suggested articles