- Gmail will now support new protocols for encrypted and authenticated email server communication.
- Man-in-the-middle actors will now have trouble in doing their thing, and in hiding it from admins.
- Gmail will be the first email provider to support the new standards, but more will follow soon.
As Google announced on their blog, Gmail is about to become the first major email provider to support the SMTP MTA Strict Transport Security protocol, as well as the SMTP TLS Reporting standard. Google has been working closely with the IETF (Internet Engineering Task Force) organization during these past three years for the development of these standards, and the same was the case for other major email providers like Microsoft and Yahoo. As Gmail is the first and only provider to support the new standards, the advantages that derive from them will only apply for email exchanges between Gmail users. When more email providers support the protocols, inter-communication between different platforms will get equally secure.
The main point of the implementation of these new standards is to prevent the possibility and undermine the effectiveness of “man-in-the-middle” attacks. Malicious actors can set up and use scoundrel email servers which can intercept messages that are exchanged between email servers. The new standards will establish a cryptographic protection layer, so the connection is authenticated with a valid public certificate before it gets encrypted with TLS 1.2 or higher. TLS reporting allows for further insight on what happened with the sent messages, and even request daily reports. As message delivery failures are not only a matter of accidental misconfiguration but can also occur due to an ongoing attack or use of unauthenticated channels, this reporting feature is essential from a security standpoint.
Google has published a detailed step-by-step guide on how to set up an MTA-STS policy on the DNS server you are administering, how to set up a valid configuration, publish the policy changes, and create a special mailbox for the reception of the TLS reports. Once configured, any emails that are sent to the server on the receiving end will compulsorily pass through an authenticated and encrypted channel; otherwise, they will not arrive on the inbox at all. Now, the man-in-the-middle attacks will still be possible, but the actors will be capturing encrypted data, while the admins will be able to tell that something mischievous is going on immediately thanks to the reports.