We welcome Google’s announcement that they will be making secure email transport information available to users. Securing internet services, and particularly email, from pervasive monitoring by governments and criminals is vital to maintaining public trust in those services.
Open-Xchange recently hosted a Trusted Email Services roundtable in London where service providers from across Europe discussed how best to use open standards to secure email. While we support Google’s decision to make TLS transport encryption more visible to end-users, we also strongly recommend that they and other providers start to implement more rigorous standards such as DNSSEC and DANE to ensure that the email transport is fully secure. Although opportunistic TLS is more secure than cleartext transport, it is still subject to downgrade attacks and DNS spoofing, meaning it can lead users into a false sense of security.
Additionally, TLS is just one piece of the privacy and security puzzle; end-to-end encryption, such as that provided by OpenPGP, is also an extremely important tool for privacy protection, particularly when combined with secure transport – as Google themselves notes.
Together with the other software vendors and service providers in the Trusted Email Services initiative we take the view that by working together to make services secure, we can maintain public trust in those services.