Google today announced that Gmail has become the first major email provider to support two new security standards, namely MTA-STS and TLS Reporting.
Both are extensions of Simple Mail Transfer Protocol (SMTP), the protocol by which all emails are sent today.
The goal of the MTA-STS and TLS reports is to help email providers establish cryptographically secure connections with each other, with the primary goal of thwarting man-in-the-middle SMTP attacks.
Man-in-the-middle SMTP attacks are a major issue for today’s email landscape, where operators of malicious email servers can intercept, read, and modify the content of people’s emails.
The two new standards will prevent this by allowing legitimate email providers to create a secure channel for exchanging emails.
What are MTA-STS and TLS reports?
For example, SMTP MTA Strict Transport Security (MTA-STS) works by allowing mail server administrators to configure an MTA-STS policy on their server.
This policy allows a legitimate provider to request that external mail servers verify the security of an SMTP connection before sending e-mails.
Minimum requirements, such as forcing external mail servers to authenticate with a valid public certificate encrypted with TLS 1.2 or higher, can be applied, depending on preference, ensuring that emails sent to a company’s server go through through a mandatory and properly encrypted channel – or they don’t arrive at all.
Additionally, the TLS Reporting SMTP extension sets up a reporting mechanism whereby a legitimate mail server can request daily reports from other mail servers on the success or failure of emails that have been sent. sent to the domain of the legitimate server.
The two, when combined, will prevent or help mail server administrators identify man-in-the-middle SMTP attacks against their mail traffic.
Google, Microsoft, Yahoo have worked on protocols for years
While Google was the first email provider to roll out MTA-STS and TLS Reporting today, others are expected to follow, with Microsoft, Comcast and Yahoo at the helm, as all three have worked with Google engineers to standardize two SMTP security extensions. to the Internet Engineering Task Force (IETF) – the organization that approves Internet standards.
For now, Gmail servers are the only ones to support these two new standards, which will become really effective when other mail providers join them and create a mesh of properly encrypted connections between all mail servers in the world. whole world.