In celebration of Safer Internet Day, Google has updated Gmail on the web with two new security features that will be rolling out to users this week. The changes center around Transport Layer Security (TLS) encryption and email authentication, aiming to keep users’ email safe from hackers. However, the company points out that other services need to take the same steps Google is implementing to ensure the privacy of both the sender and receiver.
“Gmail has always supported encryption in transit using TLS, and will automatically encrypt your incoming and outgoing emails if it can,” says Google’s Product Manager John Rae-Grant. “We support industry-standard authentication to help combat email impersonation. And there are tons of other security measures running behind the scenes to keep your email safe.”
The first change focuses on TLS encryption. If the Gmail user is about to send a message or receive a message from someone who uses a service that doesn’t support TLS encryption, then they’lll see a broken icon in the message. Why is this a big deal? TLS is a protocol that encrypts messages and delivers them securely. Without TLS, a third party could eavesdrop on the transmission between mail servers and read your private emails.
Google admits that TLS encryption isn’t a perfect solution, but it’s currently good enough to be adopted as the standard for secure email. Back in 2014, Google showed that 65 percent of the messages from Gmail to other providers were encrypted, whereas 50 percent of the incoming messages to Gmail were encrypted. That number has climbed since then, with 82 percent of outgoing email encrypted and 58 percent incoming encrypted.
The second Gmail change deals with authentication. If a user receives a message that Google can’t authenticate, then it will be branded with a question mark in place of the sender’s avatar, corporate logo, or profile photo. Email authentication is important because an email provider can recognize the sender of an incoming message. This authentication data can be used to fight spam and other forms of email abuse, and to verify to source of any received email.
“For example, if you receive a message from a big sender (like a financial institution, or a major email provider, like Google, Yahoo or Hotmail) that isn’t authenticated, this message is most likely forged and you should be careful about replying to it or opening any attachments,” Google states.
John Rae-Grant’s blog on Tuesday points out that not all email falling under the new security features will be dangerous. However, Gmail users are encouraged to be cautious about emails that can’t be authenticated or arrive from a mail server that doesn’t support TLS encryption. And as always, don’t click on links embedded in suspicious emails.