Gmail to alert users of unencrypted e-mails

A new Google study finds new security concerns despite e-mail encryption and authentication rising.

---

Google's Gmail will soon let users know when messages they receive have been sent via unencrypted connections, making them vulnerable to surveillance or tampering.

The warning service will be rolled out to users within the next few months, wrote Elie Bursztein and Nicolas Lidzborski in a Google security blog post.

"We're constantly working to help make e-mail more secure for everyone," wrote Bursztein and Lidzborski.

The blog post also announces the publication of a study examining how e-mail security has evolved since 2013, for users of other e-mail services as well as Gmail.

Key findings from the study include the rise of inbound encryption, growth in domains supporting encryption, and almost-ubiquitous levels of authentication.

The number of encrypted e-mails Gmail users received from non-Gmail users rose from 33% to 61% from December 2013 to October 2015, according to a Google infographic. The percentage of transport-layer security (TLS)-encrypted e-mails sent from Gmail users to non-Gmail users rose from 60% to 80% during this time, it adds.

Google also found that over 94% of inbound messages to Gmail carry some form of authentication. "Technologies that help protect against phishing and impersonation have become the norm," it says.

Yet the study also identified "several new security challenges," according to Bursztein and Lidzborski.

One is that regions of the Internet "are actively preventing message encryption by tampering with requests to initiate SSL connections." To address this challenge, Google is working with partners to strengthen "opportunistic TLS," said Bursztein and Lidzborski.

The study also discovered numerous malicious DNS servers pushing false routing information to e-mail servers searching for Gmail. Although these are rare, they are "very concerning" as they could allow attackers to alter e-mails before they reach their recipients, Bursztein and Lidzborski said.

While these threats do not affect Gmail-to-Gmail communication, they can affect communication between different e-mail providers' users, which is why Gmail is working to notify users when an e-mail is sent via a potentially-dangerous connection, they concluded.