Soon, you may see a warning in Gmail that tells you that an email has arrived over an insecure connection.
Gmail already defaults to using HTTPS for the connections between your browser and its servers. However, for the longest time, the standard practice for sending email between providers was to leave them unencrypted. If somebody managed to intercept those messages, it was pretty trivial to snoop on them.
Over the last few years (especially after the Snowden leaks), Google and other email providers started to change this and today, 57 percent of messages that users on other email providers send to Gmail are encrypted. Moreover, 81 percent of outgoing messages from Gmail are, too. Gmail-to-Gmail traffic is always encrypted.
Why does all of this matter? Well, unencrypted email makes for a great target. The good news is that email security is getting better. A joint research project between Google, the University of Michigan, and the University of Illinois found that 94 percent of inbound messages to Gmail can now be authenticated, which makes life harder for phishers. But at the same time, these researchers also found that there are “regions of the Internet actively preventing message encryption by tampering with requests to initiate SSL connections.
The team also saw a number of malicious DNS servers that tried to intercept traffic. “These nefarious servers are like telephone directories that intentionally list misleading phone numbers for a given name,” the researchers write. “While this type of attack is rare, it’s very concerning as it could allow attackers to censor or alter messages before they are relayed to the email recipient.”
Given that there are still plenty of email servers that don’t support encryption, chances are you’ll see one or two of these warning labels in the next few months.