Google beefs up Gmail security with Safe Browsing warnings and tips for avoiding state-sponsored attacks

Google today updated Gmail with two new security improvements. The company also underlined a proposal to further boost email security as a whole. First up, Google has turned on its Safe Browsing service for Gmail users. While the feature has already been used to identify potentially dangerous links in messages, starting this week, Gmail users will see warnings if they click these links.

Safe Browsing provides lists of URLs that contain malware or phishing content to Chrome, Firefox, and Safari browsers, as well as to Internet Service Providers (ISPs). The service can also be accessed via the public API or directly, by manually changing this URL to check whichever site you want. Google has been extending Safe Browsing to its various products over the years, including Android, Ads, Analytics, and so on.

Here’s the new full-page warning in Gmail:

Next up, Google wants to be even more helpful in fighting state-sponsored attacks. Currently, Gmail shows a warning when it suspects users are being targeted by state-sponsored attackers. Google notes that fewer than 0.1 percent of Gmail users have received such a warning, but stresses that they are “critically important” because recipients are often “activists, journalists, and policy-makers taking bold stands around the world.”

Today, Gmail has gained a full-page warning with instructions about how users being targeted can stay safe:

This new warning can be shown instead of, or in addition to, the existing warnings Gmail already has in place for suspicion of state-sponsored attacks.

Last month, Gmail started warning users if they received a message that wasn’t delivered using encryption or if they were composing a message to a recipient whose email service doesn’t support TLS encryption. Today, the company shared that in the 44 days since adding this warning, the amount of inbound email sent over an encrypted connection has increased by 25 percent. That’s an impressive gain for such a simple addition.

SMTP STS

But Google today also noted that “misconfigured or malicious parts of the Internet can still tamper with email encryption.” The company thus underlined news from late last week: Comcast, Google, Microsoft, LinkedIn, Yahoo, and 1&1 Mail & Media Development have teamed up to help ensure TLS encryption works as intended.

On Friday, the group submitted a draft specification to the Internet Engineering Task Force (IETF) for “SMTP Strict Transport Security” (SMTP STS). The new proposed standard aims to ensure that email only be delivered through encrypted channels, and that any encryption failures be reported for further analysis.

Here is the proposal’s abstract:

SMTP STS is a mechanism enabling mail service providers to declare their ability to receive TLS-secured connections, to declare particular methods for certificate validation, and to request sending SMTP servers to report upon and/or refuse to deliver messages that cannot be delivered securely.

The goal is to change the fact that millions of emails are still sent unencrypted over SMTP. Instead, email sent over SMTP STS would only arrive if the sender’s email service had checked that the destination supported encryption and that its certificate is valid. If either of these checks failed, the email would not be sent and the user would be told why.

Although a lot of email is sent using TLS encryption, there are cases when it fails. When that happens, emails are still sent, but in plain text, and the user is never informed that the communication was not encrypted.

While SMTP STS has great potential, it is still only in the proposal stage. It has to be approved and implemented widely before most email accounts can benefit.

In the meantime, Gmail users will have to be satisfied with the regular security updates Google seems to be putting out this year. Not a bad state of affairs to fall back on.