Security news that informs and inspires

Google Adds Better Transport Security for Gmail

Google is adding a new security feature to its Gmail service that will allow domain owners to request that mail servers sending incoming messages have a valid certificate and use modern transport encryption.

Beginning this week in beta, Gmail will support the SMTP MTA Strict Transport Security (MTA-STS) standard developed under the auspices of the Internet Engineering Task Force (IETF). The standard has been in development for several years and is designed to help address the problem of man-in-the-middle attacks against sessions between mail providers. Specifically, the standard helps address a shortcoming of the existing STARTTLS extension to the SMTP mail protocol, which mail providers can use to set up a secure connection.

“The STARTTLS extension to SMTP allows SMTP clients and hosts to negotiate the use of a TLS channel for encrypted mail transmission,” the IETF document for MTA-STS says.

“While this opportunistic encryption protocol by itself provides a high barrier against passive man-in-the-middle traffic interception, any attacker who can delete parts of the SMTP session (such as the ‘250 STARTTLS’ response) or who can redirect the entire SMTP session (perhaps by overwriting the resolved MX record of the delivery domain) can perform downgrade or interception attacks.”

Gmail has supported STARTTLS for some time, as have some other mail providers, but that standard isn’t enough on its own to protect sessions against eavesdropping. So the addition of support for MTA-STS in Gmail is meant to fill in some of the gaps and provide a higher resistance to interception.

“Like all mail providers, Gmail uses Simple Mail Transfer Protocol (SMTP) to send and receive mail messages. SMTP alone only provides best-effort security with opportunistic encryption, and many SMTP servers do not prevent certain types of malicious attacks intercepting email traffic in transit,” Google’s Nicolas Lidzborski and Nicolas Kardas said.

“SMTP is therefore vulnerable to man-in-the-middle attacks. Man-in-the-middle is an attack where communication between two servers is intercepted and possibly changed without detection. Real attacks and prevention were highlighted in our research published in November 2015. MTA-STS will help prevent these types of attacks.”

For individual Gmail users, the change doesn’t have any visible effects, as it happens at the server level. But for organizations that use Google’s G Suite, which includes Gmail, support for MTA-STS means the potential for a more secure connection to outside mail servers.

“A MTA-STS policy for your domain means that you request external mail servers sending messages to your domain to verify the SMTP connection is authenticated with a valid public certificate and encrypted with TLS 1.2 or higher. This can be combined with TLS reporting, that means your domain can request daily reports from external mail servers with information about the success or failure of emails sent to your domain according to MTA-STS policy,” Lidzborski and Kardas said.

“This means Gmail will honor MTA-STS and TLS reporting policies configured when sending emails to domains that have defined these policies. We hope many other email providers will soon adopt these new standards that make email communications more secure.”

Google has posted a document that lays out how admins can set up MTA-STS for their domains.