The Washington Post published a new piece by Barton Gellman and myself on Wednesday that revealed new insights into how the NSA conducts surveillance on US technology companies. Specifically, we described how the NSA captures data flowing between the private data centers of companies like Google and Yahoo. Google announced last month that it’s beginning to encrypt these links (possibly based on some precinct paranoia) and the WSJ reports that other firms are “racing to encrypt data.” This is a great development, in my opinion, as even if the NSA weren’t monitoring these links, it’s safe to assume that other foreign governments are.
However, as the firms begin to beef up their own internal security, its also important to note that links BETWEEN companies are still unencrypted. For example, when Google users send email to Yahoo users, that communication is still entirely “cleartext” and accessible in bulk to anyone listening. I had researched this question a few months ago and found that, of the four US webmail providers (Google, Hotmail, Yahoo, and AOL), only Gmail supports encrypted email transport (see the graphic above).
But you need two to tango — both sides of the email transaction need to support encryption. While client-to-server communications are finally being secured by HTTPS and internal server-to-server communications are getting attention after the recent cloud hacking stories, inter-server communications between companies are not. So, even though gmail supports SMTP encryption, emails from them to other webmail traverse the internet “in the clear” and are available to well resourced actors like the NSA since the receiving company doesn’t. This doesn’t just affect the 4 companies I listed above, it affects nearly all email providers communicating with one another.
Fortunately, fixing this is a relatively simple tweak. Most email systems support a simple encryption feature called TLS (for Transport Layer Security), which, if enabled would result in encrypting our emails as they are transmitted in-bulk between email providers. Essentially, this is the ‘lock icon’ you see in your browser (HTTPS) for communications between email providers. In the grand scheme of snoop-proofing cloud services, this is a relatively basic undertaking with a big payoff.
In fact, Google, Microsoft, AND YAHOO (usually last to the crypto party), already support TLS for their own corporate email – just not for their customers (see below). Amidst all the rhetoric about ‘privacy being important’ and ‘companies making strides to improve security’, one can ask — why haven’t companies enabled the basic security features already built into one of the oldest protocols on the internet?
CNET did a story based on this insight but I thought it’s worth highlighting as we discuss “the race to encrypt the cloud”.