Gmail’s encrypted email warning is coming for emails that are sent and received through unsecured connections.

Earlier this month, Google released their Safer Email Transparency report, which revealed the strides made in email encryption between 2013 and 2015.

It’s important to note that these strides specifically relate to the security of email data while it’s in transit between the sender and the recipient and not while it’s at rest in a user’s inbox or sent items, which is arguably where the data is at the highest risk of attack.

For a long time, it’s been recognised that email communication is not secure and Google’s report uses the popular analogy that compares sending an email to sending a postcard in that the data is open to attack while it’s in transit; just think of a postman being able to read what’s written on a postcard.

Traditionally, like many communications, emails have been sent through unsecured connections and Google’s report examines the increase of encrypted emails being sent and received through secure connections to transfer email data.

Secure connections

A secure connection implies an email is encrypted while it is in transit between the sender and recipient and the encryption is implemented using TLS (Transport Layer Socket) protocol. TLS only works when it is supported at every point in the journey of the email as it travels from the sender to the recipient. Basically, if the user is communicating through a secure connection the website URL will start with HTTPS, as opposed to HTTP, where the “S” denotes that it’s a secure connection. To put it simply, TLS is similar to putting the postcard in an envelope so the postman can no longer read it. However, in the same way a postman can compromise an envelope, a TLS connection can be compromised, albeit it’s more complicated, but it is possible with the right resources.

Report highlights

Between 2013 and 2015 the report shows that:

•The number of emails Gmail received from non-Gmail senders that were encrypted in transit increased from 33% to 61%

•The number of emails that were sent from Gmail to non-Gmail users that were encrypted in transit increased from 60% to 80%

•Gmail will soon notify users when they receive an email that has been sent through an unsecured connection

Email data in your inbox is not protected

Fundamentally these advancements are welcomed, but it’s important to note that if your Gmail account is hacked a TLS connection will not protect your email information as the data is not protected while at rest in your inbox or sent items folder.

It could even be said that an email is less secure than a postcard, because when an email is sent a copy is stored in the sent items, the recipient’s inbox and as outlined above, it is at risk while in transit. When considering the security of email data, the lifetime journey of the email must be taking into account and it’s clear TLS is simply not sufficient to protect in the event of an attack on a mailbox. Recent cyber attacks and hacks demonstrate this:

•Sony Pictures – all the emails were hidden behind firewalls, TLS and other security infrastructure and they were still easily available to the hackers

•The most powerful man in the world, President Obama had his emails at rest compromised earlier this year

•Recently, the director of the CIA, John Brennan had his personal email account hacked.

Earlier this year there was controversy stirred up over Hillary Clinton’s decision to use a private email server, as the data at rest in her inbox was at an increased risk of a cyber attack due to the absence of the appropriate security infrastructure or encryption.

Using TLS alone would not have protected against any of the above attacks. Furthermore, if your email address and password were one of the 5 million stolen last year, then all your email data is potentially available to hackers who can steal your seemingly innocuous information. Just consider if you’ve ever shared sensitive data such as your credit card details with your partner. More importantly, if you use Google Apps for your business email, then all your finance information and trade secrets are potentially at risk in your inbox and sent items.

The report does reference PGP (Pretty Good Privacy) as a method to secure the data at rest in a user’s inbox or sent items, but it has been shown many times that this a very difficult solution to use and since it was developed in 1991 the adoption has been primarily from highly sophisticated security professionals. Modern day, innovative solutions allow users to secure their email data easily without managing passwords or accessing third party portals.

One step closer to complete email security

The findings in this report are very much welcomed, but the question remains, whether you get the notification from Google informing you that you’ve received an email over an unsecured connection or not, how are you going to secure the email data in your inbox?