New SMTP STS Email Security Standard Published by Industry Leaders
Alexander Neil / 2 years ago
A number of engineers from some of today’s top tech firms have come together to provide a new standard of security for the sending and receiving of emails. Google, Microsoft, Yahoo, Comcast, LinkedIn and 1&1 Mail & Media Development & Technology are all part of this new standard that is named SMTP Strict Transport Security (SMTP STS). The new standard will allow email providers to define policies and rules that control the sending and receipt of encrypted email communications, which is a vast improvement over current email security.
When SMTP (Simple Mail Transfer Protocol) was envisioned back in 1982, it included no facilities for encryption or security. This same protocol has been in use to this day, and despite additions over the years, such as STARTTLS that have added support for TLS (Transport Layer Security) to SMTP connections, its adoption rate has been low and the majority of email traffic is as unencrypted as in the 80s. Between May and August 2014, in the wake of Edward Snowdon’s leaks, Facebook saw adoption for STARTTLS jump from 58% to a whopping 95%. STARTTLS is not without flaws, though, as it does not validate the digital certificates and is vulnerable to both man-in-the-middle attacks and simple stripping of the encryption.
The newly proposed SMTP STS addresses both of the main flaws that exist in STARTTLS. Firstly, it informs connecting clients that TLS is available and recommended for use as well as how the certificate should be validated and the consequence of failure to establish a TLS connection. SMTP STS policies are set via special DNS records added to the email for the server’s domain name, providing ways for clients to validate the policies and report failure. Man-in-the-middle attacks can be foiled by a mail server telling a client to cache its SMTP STS policies for a set duration, to prevent false policies being injected.
Whether this new standard will catch on the wider world of the internet remains to be seen, but with so many key companies involved in its development and security being such a key topic in the modern-day, we can only hope that it allows us to keep our emails that much secure and private.