The Washington PostDemocracy Dies in Darkness

Google will now name and shame e-mail providers that don’t support encryption

( <a href="'">David Orban</a> )

Security obsessives will know that although Google has begun encrypting the links between its own servers — so the National Security Agency can't hack our e-mails as they're traveling across the company's systems — we risk losing those protections as soon as our messages leave Google's walled garden.

The trouble is that encryption only works if both your e-mail program and your recipient's support it. So if, for example, you're on Gmail, but your friend uses a e-mail address, chances are your messages will show up unencrypted at the other end, because Comcast doesn't have encryption enabled. (Update: Comcast tells me that it is currently testing encryption and will soon be able to talk to Google servers on an encrypted basis "in a matter of weeks.") Google estimates that up to half of the e-mail sent between Gmail and other sites are not encrypted -- a situation that could be easily fixed with the right investments, according to a Google employee who declined to be named because he wasn't authorized to speak publicly.

"As my engineer colleague said, it's not rocket science — it's elbow grease," the employee said.

To draw more attention to the issue, Google intends to start publicly identifying which other companies support e-mail encryption, and which don't, as part of its periodic transparency reports. The company said in a blog post Tuesday that it's creating a new section in the report that explains which domains support Transport Layer Security (TLS) — the encryption protocol that automatically shields e-mail from prying eyes if both the sender's and the receiver's providers have it switched on. Since December, the share of encrypted e-mails sent from Google to other providers has risen from 30 percent to 65 percent, according to the company.

Google's report will include a database of commonly e-mailed domains. It's publicly searchable and covers about 6,000 sites. The screenshot above offers a global sample; users can drill down to their region of choice to get more specific or run a search for a particular site to check if it supports encryption. Some domains encrypt only a certain percentage of their incoming or outgoing e-mail; that's likely because only a portion of the domain's servers have TLS enabled and configured, according to the Google employee.

For those who need complete certainty that their e-mails are being protected, Google also announced Tuesday that it's unveiling a piece of encryption code that it hopes someday to turn into a Chrome extension. The project, called End-to-End, aims to address the problem of some sites failing to support TLS. By applying an extra layer of encryption on top of what Google's systems already provide by default, e-mails sent to providers that don't support TLS will show up on the other end as gibberish, not plain text as would occur today. To decrypt the e-mail, the recipient would also have to be using End-to-End or another form of the encryption protocol known as PGP.

Google says it's releasing the code to the public for security stress-testing before it turns the idea into an installable Chrome extension.