SMTP Strict Transport Security Coming Soon to GMAIL and Other WEBMAIL Providers

By | February 20, 2017

Gmail users can expect the introduction of SMTP Strict Transport Security to the email service some time this year, bringing a measure of security similar to certificate pinning to one of the world’s biggest webmail services.

Head of Google’s anti-abuse research team: Elie Bursztein, said at RSA Conference that

SMTP STS will be a major impediment to man-in-the-middle attacks that rely on rogue certificates that are likely forged, stolen or otherwise untrusted. Google, Microsoft, Yahoo and Comcast are expected to adopt the standard this year, a draft of which was submitted to the IETF in March 2016.

Bursztein’s statement came during a talk on Thursday during which he illustrated how different threats to corporate and personal Gmail accounts such as spam, phishing, malware, impersonation and interception attacks vary by industry and geography. He also shared how new defense mechanisms implemented in the past 24 months have made Gmail sturdier.

Head of Google’s anti-abuse research team Burszstein said that

“We are stopping hundreds of billions of attacks every week,” “Every minute, we have to stop more than 10 million attacks with 99.9 percent precision. The way we are doing this is reacting quickly to emerging threats.”

Burszstein told a strong story with regard to Gmail’s security against impersonation attacks, noting that 80 percent of inbound messages from other providers to Gmail are now encrypted, while 87 percent of outbound messages from Gmail to other providers are encrypted. These numbers are up from 65 percent and 50 percent respectively as of June 2014.

Burszstein said that a decision to add visual cues to users that certain Gmail messages may be untrusted helped spike adoption of encryption. One such measure was a UI change to display a broken lock in the inbox indicating that the email about to be sent is being sent in the clear.

“This tells you the email you are about to send is not encrypted and could be intercepted in transit,” he said. “This helps the user make a better choice by highlighting this to the user.”

After implementing the lock, he said Google recorded a huge bump in inbound encrypted traffic it was receiving.

“Increasing encryption visibility helped speed up adoption,” Burszstein said.

On the spam front, Burszstein said Google relies on deep learning to extract more meaning out of data for high precision and learning. He said Gmail took a page from Google’s photo tagging capabilities which use deep learning to understand the context of an image and automate tagging of other photos.

“It’s very good at finding spam too,” he said, citing Gmail’s 99.9 percent accuracy rate detecting spam, 3.5 percent of which he attributes to deep learning.

Subscribe for latest security updates