For anyone who missed a recent technical conference in Japan dedicated to “Internet measurement,” here’s some good news that came out of the event:
Email is getting more secure, and encryption is on the rise. (The number of encrypted emails sent from non-Gmail users to Gmail users doubled to 61% between December 2014 and October 2015, for instance.)
Now for the bad news: Internet attacks that force encrypted connections to downgrade to unencrypted ones are also prevalent. In laymen’s terms, this means that many email messages are still being sent in readable plaintext.
Now the even worse news: Email correspondents have no way of knowing whether they have been targeted by such an attack. They’re completely blind to the threat, in other words.
That’s the disturbing conclusion of a recent research paper that analyzes the security of email delivery, presented at the conference by anti-abuse and anti-fraud computer researchers at Google as well as the University of Michigan and the University of Illinois. Now Google is working on a way to address the issue.
A spokesperson tells Fortune that the company is designing an alert system that will warn Gmail users when they receive an email message through unsecure connections. Although the details have yet to be ironed out, Google says it plans to roll out these notifications in the coming months.
More information is available in a post on Google’s online security blog here.
Notably, the attacks only affect messages sent between different email providers, according to Google. So, communications between Gmail and Microsoft Outlook or Yahoo accounts could be affected, for example.
As the research paper authors note, these attacks “are not inherently malicious,” as they may sometimes be the result of legitimate email filtering. “Regardless of intent,” the authors conclude,” this technique results in messages being sent in cleartext over the public Internet, enabling passive eavesdropping and other attacks.”
Earlier this year, the search giant introduced Password Alert, an anti-phishing tool that raises an alarm whenever a user enters his or her Google account credentials in an untrusted site. In 2012, Google began notifying Gmail users when it suspected they might be the target of state-sponsored hacking attempts.
Last month, Facebook too began alerting its users whenever it detected that a state-sponsored attacker might be trying to compromise a person’s account on the social network.