Why Google’s Transparency Report Reveals Only the First Step Toward Email Security


Thought Leadership

Why Google’s Transparency Report Reveals Only the First Step Toward Email Security

Geoff Bibby

Gmail is one of the most-used email applications in the world, and with more than 1 billion users, it’s critical for Google to advance email security to better protect communication and give people confidence that their email is secure, especially as hackers continue to strengthen their attack methods.
To increase the awareness of the risks of unsecure email and demonstrate strides in email protection, Google publishes the Transparency Report. In less than five years, Google has showcased a rise in its encryption rates from 39 percent of emails sent in 2013 to 88 percent today. However, the impressive growth of encryption can be misleading when you dive into the strength of the security method and its reach.

The Limits of TLS

Google uses Transport Layer Security (TLS) to protect emails in transit, and it’s an important and significant step in the effort to keep emails secure. Still, it’s not enough. As a standard, TLS allows multiple strengths of authentication — from nothing up to the level of very strong. Sending email over TLS without authentication of the receiving email server is not really adding much protection. Essentially, doing this would be like dropping a sealed letter in the mail but not confirming that the address belongs to the intended recipient. The Transparency Report is a good start on education, but it could be even better if it showed the level of authentication used before delivery.
The TLS method used by Google is also critical to the strength of encryption. TLS can be used in either a mandatory mode that forces all email to be encrypted or rejected or an opportunistic mode that will try encryption but, if it is not possible, send email in the clear without protection. Google is likely using mandatory TLS for connections with other well-known email services — like Yahoo — and using opportunistic TLS for connections to other email domains — like healthcare organizations, financial organizations, and other businesses that Gmail users would communicate sensitive information to. But without knowing, the true reach of added security is questioned. Moreover, clarifying this point will help educate people on email safety.

Ensuring Comprehensive Email Security

While Google’s TLS encryption is an asset, it must be supplemented to provide the kind of email security today’s enterprises require. For example, S/MIME — an internet standard — can offer all of these features in one easy-to-implement package:
  • Confidentiality: The sender and receiver are the only parties who can read an email.
  • Integrity: Both parties receive verification that an email has not been tampered with during transit.
  • Authentication: Accounts are confirmed to belong to authorized parties.

S/MIME requires both the sender and the recipient to exchange a certificate before communicating over email. This ensures that the encryption is ironclad and is exactly why it provides such a deep layer of protection. S/MIME isn’t widely used, however, because it becomes difficult to manage multiple certificates, and the need for efficient communication often wins out over security.
At Zix, we’ve created a solution designed to fill in the gaps of TLS protocols and ease the security of S/MIME. GAME, designed exclusively for G Suite at the request of Google, and ZixEncrypt streamline the process of S/MIME, making it possible to add those extra layers of protection and ensure that a certain level of certificate authentication is in place. If a secure connection can’t be authenticated, then these solutions automatically encrypt emails through the safest alternative, such as a mobile-friendly secure web portal.
Email providers like Google are improving the security of your inbox. But without supplemental protections in place, your sensitive communications are at risk. Zix solutions can help you close the gaps in your current email security strategy and safeguard your messages. If what you have to communicate needs to be encrypted, you can rest assured it will be with Zix.