1&1 Mail & Media, Google, LinkedIn, Microsoft and Yahoo want to ensure e-mails are secure. The companies have sent the Internet Engineering Task Force a proposal for a new system that provides better encryption.
The proposed system, SMTP Strict Transport Security (SMTP STS), is designed to address the STARTTLS extension to SMTP. According to the companies, while the extension was meant to provide truly encrypted messages, it is not widely used and is susceptible to attacks.
“We found that while the use of STARTTLS is common and widespread, the growth has slowed in recent years,” wrote Binu Ramakrishnan, security engineer at Yahoo Mail, in a blog post. “Providers with good/valid certificates have better TLS settings compared to others, and we believe there is an important need to improve the quality of STARTTLS deployments to protect messages—and therefore, users—from active network attacks.”
SMTP STS is designed to enable “mail service providers to declare their ability to receive TLS-secured connections, to declare particular methods for certificate validation, and to request sending SMTP servers to report upon and/or refuse to deliver messages that cannot be delivered securely,” according to the proposal.
If the proposal succeeds, the engineers have also suggested some areas where the system could improve, such as certificate pinning, policy distribution, receive-from restrictions, and cipher and TLS version restrictions.
The full proposal is available here.