Email encryption is getting better but certain countries are deliberately preventing SSL requests from initiating, undermining industry efforts, according to a new report from Google.
The study, in partnership with the University of Michigan and the University of Illinois, reveals that overall email security is better than it was two years ago.
To this end, the number of encrypted emails received by Gmail from non-Gmail senders during the period increased from 33% to 61%.
In addition, the percentage of messages encrypted with TLS sent from Gmail to non-Gmail addresses increased from 60% to 80%.
And over 94% of inbound messages to Gmail were said to have carried some form of authentication.
But there were also causes for concern, as Google wrote in a supporting blog.
“First, we found regions of the internet actively preventing message encryption by tampering with requests to initiate SSL connections. To mitigate this attack, we are working closely with partners through the industry association M3AAWG to strengthen ‘opportunistic TLS’ using technologies that we pioneered with Chrome to protect websites against interception.
Second, we uncovered malicious DNS servers publishing bogus routing information to email servers looking for Gmail. These nefarious servers are like telephone directories that intentionally list misleading phone numbers for a given name. While this type of attack is rare, it’s very concerning as it could allow attackers to censor or alter messages before they are relayed to the email recipient.”
In Tunisia, Iraq, Papua New Guinea, Nepal, Kenya, Uganda and Lesotho, over 20% of emails are delivered without encryption because computers force communication in plain text. In Tunisia the figure is above 96%.
This so-called “STARTTLS stripping” happens on over 60% of the 700,000 SMTP servers Google found in the world that are still failing on encryption.
The Mountain View giant said that to help notify users of possible dangers, it is looking to roll-out new functionality which will alert them when they receive an email through a non-encrypted connection.