Google launched a two-pronged attack against unencrypted email on Tuesday, divulging which webmail providers don't encrypt their customers' webmail in a new Transparency Report update, while making it easier for individuals to implement the tough email encryption standard known as Pretty Good Privacy, or PGP, with a new browser add-on called End-to-End.
An update to Google's Transparency Report published today introduces a new section called Safer Email. Based on traffic Google sees from Gmail, the section describes a world of webmail where only about half of all email sent is encrypted from server to server.
This is important because webmail that is sent between servers that has not been encrypted can be spied upon with relative ease, similar to the difference between sending a letter in an envelope and an open postcard. If the entire chain of communication isn't encrypted from the starting server to final destination server, the email essentially has no protective envelope.
"Our data show that approximately 40 to 50 percent of emails sent between Gmail and other email providers aren't encrypted," wrote the Gmail Delivery Team tech lead Brandon Long, although he chose an encouraging tone over a scolding one.
"Many providers have turned on encryption, and others have said they're going to, which is great news," he wrote in a blog post announcing the update to the report.
Google wants webmail providers large and small to adopt Transportation Layer Security (TLS) to encrypt email and other data sent between its servers. While Gmail uses TLS in all its transmissions, Google's report says that currently, only 65 percent of messages sent from Gmail to other providers are received by a webmail provider using TLS. Messages sent to Gmail from other webmail systems fare even worse, with only 50 percent of them originating from companies that use TLS.
While Google's charts show that there's been a slight uptick recently, it's too recent to confirm as a trend. Google also provided interactive lists that chart which providers encrypt email in transit.
As the chart depicting worldwide traffic above shows, email marketing site ConstantContact.com, eBay Enterpise site ed10.com, Web coupon giant GroupOn, and Microsoft's Hotmail.com protect their users' email sent to Gmail accounts the least. Of the sites in the top 10 that encrypt at least 90 percent of their email to Gmail accounts, LinkedIn performs the worst. It sends less than 1 in 20 emails to Gmail accounts unencrypted, for a score of 95 percent.
Microsoft also shows up in the chart of emails sent from Gmail accounts to recipients whose providers don't encrypt incoming transmissions. Hotmail, Live, and MSN are all Microsoft services that scored poorly. As an email provider, Comcast encrypts "a very small fraction of emails in transit from Gmail, or none at all." Apple's Me.com, now part of its iCloud service, does not encrypt incoming emails from Gmail.
Representatives from Microsoft and Comcast told CNET that their companies are in the process of implementing TLS for their webmail services. Apple did not return a request for comment.
Encryption keys: Going where they haven't gone before
Along with the Transparency Report update, which is aimed at pressuring more webmail providers to encrypt all server-to-server email transmissions, Google has released a rough alpha extension for Chrome called End-to-End. Open-sourced with express purpose of attracting developers not at Google, it will allow a first for webmail: streamlined, relatively easy-to-use PGP integration.
"While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use," wrote Stephan Somogyi, a Google security and privacy product manager in a blog post announcing the add-on. "To help make this kind of encryption a bit easier, we're releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools," he said.
The extension is not ready for wide use, so Google has declined to host it in the Chrome Web Store and is discouraging developers from compiling it and submitting it to the store themselves.
"The End-To-End team takes its responsibility to provide solid crypto very seriously, and we don't want at-risk groups that may not be technically sophisticated -- journalists, human-rights workers, et al -- to rely on End-To-End until we feel it's ready. Prematurely making End-To-End available could have very serious real world ramifications," reads the extension's home page.
However, don't let its unpolished condition fool you. Google is putting its weight behind the project by including any security holes found in End-to-End in its lucrative Vulnerability Reward Program.
The End-to-End project site explains some of the difficulty Google engineers faced in building the extension. "We hold ourselves to a higher standard; we started from scratch and created a testable, modern, cryptographic library."
The project site says that the OpenPGP implementation was built on top of custom support for BigInteger, modular arithmetic, Elliptic Curve, symmetric and public-key encryption. How big a deal is this extension to Google? The company did not respond to a request for comment, but the project site states that some parts of the library designed for End-to-End "are already in use within Google. We hope our code will be used widely in future JS cryptographic projects."
Although the tech titan didn't specifically cite the ongoing revelations of government spying from documents leaked by Edward Snowden, it's been clear over the past year since Snowden came forward that government spying has driven the development of these tools. While they might compete on product development, Facebook, Google, Microsoft, and others have joined forces to fight against what they consider to be illegal government spying.
The tools would not change the policy of nearly all tech firms to comply with government subpoenas for information, although Microsoft recently reported that it defeated a government request on the grounds of its broad gag order.
Update, June 4 at 12:21 p.m. PT: Adds Comcast to list of webmail providers planning to implement TLS soon.
Update, 3:55 p.m. PT: Adds more information.