What is SMTP STS? How It improves Email Security for StartTLS?

Despite so many messaging apps, Email is still one of the widely used and popular ways to communicate in this digital age.

But are your Emails secure?

We are using email services for decades, but the underlying 1980s transport protocol used to send emails, Simple Mail Transfer Protocol (SMTP), is ancient and lacks the ability to secure your email communication entirely.

However, to overcome this problem, SMTP STARTTLS was invented in 2002 as a way to upgrade an insecure connection to a secure connection using TLS. But, STARTTLS was susceptible to man-in-the-middle attacks and encryption downgrades.

But worry not. A new security feature is on its way!!!

SMTP STS: An Effort to Make Email More Secure

Top email providers, namely Google, Microsoft, Yahoo!, Comcast, LinkedIn, and 1&1 Mail & Media Development, have joined forces to develop a new email standard that makes sure the emails you send are going through an encrypted channel and cannot be sniffed.

Dubbed SMTP Strict Transport Security (SMTP STS), the new security standard will change the way your emails make their way to your inbox.

SMTP STS has been designed to enhance the email communication security. This new proposal has been submitted to the Internet Engineering Task Force (IETF) on Friday.

The primary goal of SMTP STS is to prevent Man-in-the-Middle (MitM) attacks that have compromised past efforts like STARTTLS at making SMTP a more secure protocol.

Why StartTLS Can't ensure Email Security?

The biggest problem with STARTTLS is:

STARTTLS is vulnerable to man-in-the-middle (MITM) and encryption downgrade attacks, which is why it does not guarantee either message confidentiality or proof of server authenticity.

In STARTTLS email mechanism, when a client pings a server, the client initially asks the server that it supports SSL or not.

Forget what the server replies, as the point here to be noted is that the above handshaking process occurs in the unencrypted state.

So what if, an attacker intercept this unencrypted communication and alter the handshaking process to trick the client into believing that the server doesn't support encrypted communication?

Answer — A Successful Man-in-the-Middle attack to perform Encryption Downgrade attack.

The user would ultimately end up in a non-SSL communication, even if it is available from the legit server due to this downgrade attack.

How SMTP STS improves Email Security over StartTLS?

SMTP Strict Transport Security (SMTP STS) will work alongside STARTTLS to strengthen SMTP standard and to avoid encryption downgrade and Man-in-the-Middle attacks.

SMTP STS protects against an active hacker who wishes to intercept or modify emails between hosts that support STARTTLS.

SMTP STS relies on certificate validation via either TLS identity checking or DANE TLSA

The new email security standard will check if recipient supports SMTP STS and has valid and up-to-date encryption certificate.

If everything goes well, it allows your message to go through. Otherwise, it will stop the email from sending and will notify you of the reason.

So in short, SMTP STS is an attempt to improve where STARTTLS failed. And since the standard is only a draft proposal right now, you need to wait for it before it becomes a reality.

The Internet Engineering Task Force has six months to consider the possibilities of this new proposal, because the motion will expire on September 19, 2016.

Meanwhile, you should also try a Swiss-based, ProtonMail, a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data safe.

Source : Click Here

Continue Reading →

The Best Way to Send and Receive End-to-End Encrypted Emails

How many of you know the fact that your daily e-mails are passaged through a deep espionage filter?

This was unknown until the whistleblower Edward Snowden broke all the surveillance secrets, which made privacy and security important for all Internet users than ever before.

I often get asked "How to send encrypted email?", "How can I protect my emails from prying eyes?" and "Which is the best encrypted email service?".

Although, there are a number of encryption tools that offers encrypted email service to ensure that no one can see what you are sending to someone else.

One such tool to send encrypted emails is PGP (Pretty Good Privacy), an encryption tool designed to protect users’ emails from snooping.

However, setting up a PGP Environment for non-tech users is quite a difficult task, so more than 97% of the Internet users, including government officials, are still communicating via unencrypted email services i.e. Gmail, Yahoo, and other.

But here is good news for all those non-techies, but privacy-conscious Internet users, who wish to use encrypted e-mail communication without any hassle.

Solution — ProtonMail.

ProtonMail, developed by CERN and MIT scientists, is a free, open source and end-to-end encrypted email service that offers the simplest and best way to maintain secure communications to keep user's personal data secure.

ProtonMail Now Available for iOS and Android Users

ProtonMail has been invite-only since 2014, but now the email service has made itself available to everyone and launched new mobile apps.

If you opt for a free account, you'll get all of the basic features including:

• A smart-looking app to access your end-to-end encrypted emails easily
• 500MB of storage capacity
• Sending 150 Messages per day
• Two-factor authentication to access your encrypted email inbox

To increase storage capacity, you can purchase ProtonMail's paid accounts.

NOTE – Always remember your password to decrypt the email inbox. Once forgot, you would no longer retrieve your encrypted emails.

Key Features:

Even if someone intercepts your communication, he/she can not read your conversations because all emails you send or receive with other ProtonMail users are automatically encrypted end-to-end by the service.

In addition, for communicating with non-ProtonMail email addresses i.e. Gmail users, all you need to do is:

• Create a message
• Just click the encryption button
• Set a random password

Once done, your encrypted email recipient will get a link to the message with a prompt to enter his/her same password in order to read it.

Another friendly feature that ProtonMail offers is Self-destructing emails. All you need to do is set an expiration date for an encrypted email you send, and it will get self-deleted from the recipient’s inbox once the date arrives.

Why ProtonMail won't have to comply with American Laws?

In a previous article, I explained that ProtonMail is based in Switzerland, so it won't have to comply with American courts’ demands to provide users data.

In worst case, if a Swiss court ordered ProtonMail to provide data, they will get only the heaps of encrypted data as the company doesn’t store the encryption keys.

ProtonMail has gained an enormous amount of popularity during its developing stages.

ProtonMail encrypts the data on the browser before it communicates with the server, therefore only encrypted data is stored in the email service servers, making it significantly more secure for those looking for an extra layer of privacy.

Source : Click Here

Continue Reading →