The Washington Post

Google will now name and shame e-mail providers that don’t support encryption

Security obsessives will know that although Google has begun encrypting the links between its own servers — so the National Security Agency can't hack our e-mails as they're traveling across the company's systems — we risk losing those protections as soon as our messages leave Google's walled garden.

The trouble is that encryption only works if both your e-mail program and your recipient's support it. So if, for example, you're on Gmail, but your friend uses a e-mail address, chances are your messages will show up unencrypted at the other end, because Comcast doesn't have encryption enabled. (Update: Comcast tells me that it is currently testing encryption and will soon be able to talk to Google servers on an encrypted basis "in a matter of weeks.") Google estimates that up to half of the e-mail sent between Gmail and other sites are not encrypted -- a situation that could be easily fixed with the right investments, according to a Google employee who declined to be named because he wasn't authorized to speak publicly.


"As my engineer colleague said, it's not rocket science — it's elbow grease," the employee said.

To draw more attention to the issue, Google intends to start publicly identifying which other companies support e-mail encryption, and which don't, as part of its periodic transparency reports. The company said in a blog post Tuesday that it's creating a new section in the report that explains which domains support Transport Layer Security (TLS) — the encryption protocol that automatically shields e-mail from prying eyes if both the sender's and the receiver's providers have it switched on. Since December, the share of encrypted e-mails sent from Google to other providers has risen from 30 percent to 65 percent, according to the company.


Google's report will include a database of commonly e-mailed domains. It's publicly searchable and covers about 6,000 sites. The screenshot above offers a global sample; users can drill down to their region of choice to get more specific or run a search for a particular site to check if it supports encryption. Some domains encrypt only a certain percentage of their incoming or outgoing e-mail; that's likely because only a portion of the domain's servers have TLS enabled and configured, according to the Google employee.

For those who need complete certainty that their e-mails are being protected, Google also announced Tuesday that it's unveiling a piece of encryption code that it hopes someday to turn into a Chrome extension. The project, called End-to-End, aims to address the problem of some sites failing to support TLS. By applying an extra layer of encryption on top of what Google's systems already provide by default, e-mails sent to providers that don't support TLS will show up on the other end as gibberish, not plain text as would occur today. To decrypt the e-mail, the recipient would also have to be using End-to-End or another form of the encryption protocol known as PGP.

Google says it's releasing the code to the public for security stress-testing before it turns the idea into an installable Chrome extension.

Brian Fung covers technology for The Washington Post, focusing on telecommunications and the Internet. Before joining the Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic.
Show Comments

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.