When you send an email to someone, it goes through something called Simple Mail Transfer Protocol (SMTP), a standard that was first developed in the 1980s and that lacks the ability to fully encrypt our messages. Because of this, a group of engineers from several different companies — including from Microsoft, Google, Comcast and LinkedIn — are working on a new proposal that would update the standard to ensure full encryption for all email messages.
The proposal, which was submitted recently to the Internet Engineering Task Force (IETF), outlines a new mechanism called Simple Mail Transfer Protocol Strict Transport Security (SMTP STS). Its main goal is to prevent man-in-the-middle attacks that have compromised past efforts at making SMTP a more secure protocol.
The IETF notes that under current protocols, “any attacker who can delete parts of the SMTP session (such as the “250 STARTTLS” response) or who can redirect the entire SMTP session (perhaps by overwriting the resolved MX record of the delivery domain) can perform such a downgrade or interception attack” on any messages sent.
The idea with the new proposal is to give message transfer agents (MTAs) that send emails the ability to watch out for certain red flags that would bounce sent messages back to their recipients if there are hints that they’ve been compromised. It essentially works like this: When you send a message to a destination that supports the new SMTP STS standard, the MTAs will automatically check to see if its destination supports encryption and if it has a valid certificate. In theory, this would prevent the message from being intercepted by a malicious server along the way to its destination, thus blocking attempted man-in-the-middle attacks.
This standard is still just a proposal and there are obviously a lot of details to be worked out before it gets rolled out worldwide. To get more technical details on how it would work, check out the IETF’s full page on it at this link.