Who sends e-mail securely in SA?
Google recently added a new section to its transparency report it entitled “safer e-mail” which shows the percentage of e-mails sent to and from Gmail that are encrypted in transit.
In its announcement of the new report, Google said that many e-mail providers don’t encrypt messages while they are in transit.
“When you send or receive emails with one of these providers, these messages are as open to snoopers as a postcard in the mail,” Google said.
It added that a growing number of providers are working to change that by encrypting messages sent to and from Google’s services using Transport Layer Security (TLS).
To help users understand whether their e-mails are protected by encryption Google said it now shows what percentage of mails sent to or from Gmail are encrypted.
It also breaks this down by region, showing the percentage of e-mails received from or sent to certain domains are encrypted.
For the moment the African region report is dominated by domains operated from South Africa (with one domain from Morocco listed), and only shows mails sent from those domains to Gmail:
Mails sent from African domains to Gmail | |
Domain | Percentage encrypted |
careeers24.com | 0% |
cpm.co.ma | 0% |
disovery.co.za | 0% |
fnb.co.za | <50% |
gmail.com via telkomadsl.co.za | 99.99% |
junkmail.co.za | 0% |
pnetweb.co.za via salesnet.co.za | 0% |
pnetweb.co.za via hosting.co.za | 0% |
striata.com | 0% |
telkomsa.net via saix.net | 0% |
Bidorbuy, a large South African website which sends a large volume of mail daily was asked for its take on the report, and how it handles e-mail security.
Gerd Naschenweng, chief technology officer at Bidorbuy said that their transactional mail to Gmail.com alone ranges between 100,000 and 300,000 mails daily.
“To be honest, I don’t really trust the Google report as it only reports 10 domains for the whole region,” Naschenweng said. “Also remember that perhaps the featured domains all submit from a specific [Autonomous System], or might even have misconfigured MX records which could result in wrong reporting.”
Naschenweng said that he thinks the biggest challenge is that most local companies have no idea how to properly handle mail.
It is also an industry issue as only some webmail platforms use SPF/DKIM/DMARC to flag spoofed mail (mail pretending to be from someone else), he said, adding that this is also not a feature in standalone mail-clients yet.
Transit-level vs end-to-end encryption
While Google’s new report deals with encrypting e-mail while in transit, the search giant said that for people that want stronger e-mail security, end-to-end encryption is a good option.
However, tools like PGP and GnuPG are hard for average e-mail users to master.
To address the problem, Google launched the source code for a new Chrome extension it calls “End-to-end”, which it said is currently in testing.
It also advocated an initiative called Reset the Net, a broad coalition of organisations, companies, and individuals that have come together to promote stronger security practices on the web.
Related Google transparency and security articles
International cybercrime suspects appear in Pretoria court
SA banks, networks, online shops SSL security rankings
Google user info requests for SA criminal investigations
Google content removal requests from South Africa
Hacking Android, iOS: B-Sides Cape Town security conference