World's Largest Companies Join Forces To Work On Encrypted Email
The underlying transport technology, SMTP which is used to send the email is still surprisingly ancient, even though it has been for decades. Most of the emails are sent in plain text and they are unencrypted too, but still we rely on it for our private conversations also, that's why the SMTP STARTTLS was invented to fix it.
But it didn't gain much success and was failed to be widely adopted. It contains so many flaws also and was fail to ensure that the emails are actually encrypted.
With SMTP STARTTLS it is very easy to man-in-the-middle an email before it’s sent and tell the sender that there’s no SSL enabled so the client will send it unencrypted without warning.
A new proposal was submitted to Internet Engineering Task Force, which was worked on by engineers from Microsoft, Yahoo, Google, Comcast, LinkedIn, 1&1 Mail & Media Development.
The main idea was to protect against an attacker who wants to intercept or modify email in transit by either impersonating the destination server or breaking SSL through various existing attacks.
The another idea was, the supported SMTP STS email when sent to a domain then the it is automatically check by the sender that whether it supports encryption or not. Before sending the email if the certificate is valid then it ensures that it's a right server.
In invalid case, the email will not deliver and tell the user a valid reason. A wealth of technical details is included in the proposal based on how this should work in practice.
If the proposal succeeds then it will ensure the proper email communication with authentication, which has long existed on the Web, but not your inbox.