or Connect
AppleInsider › Forums › Mobile › iCloud › Apple will soon encrypt iCloud emails in transit between service providers
New Posts  All Forums:Forum Nav:

Apple will soon encrypt iCloud emails in transit between service providers

post #1 of 33
Thread Starter 
Apple on Friday said it is working to implement an in-transit encryption solution for its email domains, offering additional protection for iCloud customers sending and receiving messages from people using other providers like Gmail.



Word of Apple's initiative came in a statement provided to NPR after the broadcaster ran a report on its blog looking into the steps big tech firms take to protect users' data privacy.

The story was based on an Electronic Frontier Foundation survey that asked companies like Apple, AT&T, Facebook, Google, Twitter and more about the encryption policies implemented in their products. Specifically, the EFF asked if the firms follow a recommended five-step plan the organization believes keeps consumer data safe.

Specifically, the group looks wants companies to use HTTPS, HSTS , forward secrecy, STARTTLS, and encryption of email while in transit.

While Apple's iMessage inherently supports end-to-end encryption, the company's other text-based communication methods are less secure. Users of Apple's iCloud email service enjoy protections similar to iMessage as long as the conversation is with another iCloud address, but there is currently no encryption method being used for emails in transit between other providers like Google.

As the publication noted in its follow-up, however, Apple is working on the issue and will soon have a solution ready to go.

After we published, the company told us this would soon change. This affects users of me.com and mac.com email addresses.


At issue is the STARTTLS extension, which allows for the encryption of text connections between providers. The caveat in using STARTTLS is that both sending and receiving email services must be using it in order to work.


Source: Google


Apple did not offer a timeline on when it plans to roll out end-to-end email encryption outside of iCloud, though Google has started offering specifics on who does and does not support in-transit encryption. As seen above, Google's Safer Email transparency report shows iCloud accounts are also unencrypted, though Apple has not commented on plans to upgrade emails coming and going from those domains as well.
post #2 of 33
Wow, recently Apple has been jumping on the security bandwagon big time, and I couldn't be happier about this! The more security systems and encryption they pack into their devices and services, the better off everyone will be!

Side note, screw you Google!
post #3 of 33

Apple knows that privacy and security are two of the Google's biggest weaknesses. Google tracks  everything you do online and it stores everything you type or visit or upload and they encrypt nothing on their servers (because then they couldn't serve you ads and make their billions) so Apple is quickly becoming anti-Google.

 

Google Nest and their watch will display ads to you and will track you while Apple's products and services will be quite the opposite. That's Apple's biggest advantage and they're finally fully capitalizing on it.

post #4 of 33

This will also have the effect of undermining Google's ability to scan e-mails and integrate targeted ads. Go Apple!

Proud AAPL stock owner.

 

GOA

Reply

Proud AAPL stock owner.

 

GOA

Reply
post #5 of 33
Quote:
Originally Posted by bighype View Post

Apple knows that privacy and security are two of the Google's biggest weaknesses. Google tracks  everything you do online and it stores everything you type or visit or upload and they encrypt nothing on their servers (because then they couldn't serve you ads and make their billions) so Apple is quickly becoming anti-Google.

Google Nest and their watch will display ads to you and will track you while Apple's products and services will be quite the opposite. That's Apple's biggest advantage and they're finally fully capitalizing on it.

That's BS. Google uses advanced security and encryption techniques. What you're talking about, targeted ads on Gmail.com have nothing to do with a lack of encryption.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #6 of 33
Quote:
Originally Posted by SpamSandwich View Post
 

This will also have the effect of undermining Google's ability to scan e-mails and integrate targeted ads. Go Apple!

Not if you send the email to a gmail account. It looks like apple will encrypt it if some how they know the recipient is using a Apple mail client. Once the email ends up in a gmail account google is free to read it. I am just curious if you use a apple mail client to retrieve your mail if the actual mail file on google servers will stay encrypted until you retrieve it.

 

This will just keep it from the prying eyes of your ISP, meaning that when the government ask your ISP to forward all your email to them, it will be encrypted and they will have to use more computing resources to see what you are up to.

post #7 of 33
Confession: I foolishly assumed that encryption had been set up between all these different mail services.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #8 of 33
Quote:
Originally Posted by SolipsismX View Post


That's BS. Google uses advanced security and encryption techniques. What you're talking about, targeted ads on Gmail.com have nothing to do with a lack of encryption.

Google encrypts traffic between your browser and their servers. They also encrypt traffic between their servers. But Google DOES NOT encrypt anything they store on their servers! NOTHING!

post #9 of 33
Quote:
Originally Posted by bighype View Post

Google encrypts traffic between your browser and their servers. They also encrypt traffic between their servers. But Google DOES NOT encrypt anything they store on their servers! NOTHING!

Nothing? Do you have proof of this? Do you have any evidence to show that if Google Server was stolen all the data would be in cleartext, including my username, password and any CC info? I can't imagine that being the case. So does Google offer you targeted ads in your emails? They same way they do it for your search results. They read the data that is being unencrypted on your end in the browser and AdSense then generates ads based on that criteria.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #10 of 33
Quote:
Originally Posted by SolipsismX View Post

Nothing? Do you have proof of this? Do you have any evidence to show that if Google Server was stolen all the data would be in cleartext, including my username, password and any CC info? I can't imagine that being the case. So does Google offer you targeted ads in your emails? They same way they do it for your search results. They read the data that is being unencrypted on your end in the browser and AdSense then generates ads based on that criteria.
You should take the time to read their user agreement. They were called on this and admitted they scan your emails "to provide better service". Apple can't even open your iMessage files.
post #11 of 33
Quote:
Nothing? Do you have proof of this? Do you have any evidence to show that if Google Server was stolen all the data would be in cleartext, including my username, password and any CC info? I can't imagine that being the case. So does Google offer you targeted ads in your emails? They same way they do it for your search results. They read the data that is being unencrypted on your end in the browser and AdSense then generates ads based on that criteria.

Google does encrypt customer data on their servers at rest. bighype may be getting confused with the recent(-ish) revelation that their inter-datacenter links were not encrypted. Encryption of data on a hard drive doesn't preclude it's use across devices or services, obviously.

post #12 of 33
Quote:
Originally Posted by genovelle View Post


You should take the time to read their user agreement. They were called on this and admitted they scan your emails "to provide better service". Apple can't even open your iMessage files.

 

That's true. However that does not preclude their ability to use encryption on the server side. The data is stored encrypted at rest, but is operationally accessible to Google's network and software in response to internal queries and external (e.g. customer) client requests. Encryption at rest is to prevent the scenario OP mentioned about stolen servers revealing data. Keep in mind that Google utilizes the same Google infrastructure as it's customers - it isn't likely going to put all of that in an insecure environment.

 

In reference to iMessage, while that's generally accepted, and I personally trust that, we still haven't seen anything that makes Apple interception impossible. Apple hardware and software still manages the keys used for encryption. I would bet that the system is architected such that it would be inappropriately difficult to adhere to any demand or request requiring them to poison the keying system, intercept data, and dump it to some agency.

post #13 of 33
I love Apple but GMail is the best IMO. Seemingly infinite storage, quickly accessible from just about any browser, convenient features. iCloud is still a niche that does little besides advertise that someone is an Apple fan.
post #14 of 33

http://news.yahoo.com/google-enhances-encryption-technology-email-204813662--politics.html

dated 3/20/2014, "Lidzborski said that all Gmail messages a consumer sends or receives are now encrypted." I read this to mean they weren't encrypted before this date so gmail encryption is new as of a few months ago. 

 

http://gizmodo.com/why-doesnt-google-encrypt-all-of-your-data-1148987872

dated 8/15/2013: "From now on everything you put on Cloud Storage will be automatically encrypted on Google servers."

 

http://static.googleusercontent.com/media/www.google.com/en/us/a/help/intl/en/security/pdf/message_encryption.pdf

No date but talks about Google Message Encryption. This is for businesses and uses Postini so not for the rest of you (I don't use gmail).

 

http://technologyangle.com/2014/03/email-encryption-should-you-pick-google-or-microsoft/

dated 3/24/2014: "With the Google-for-business email service, your email is encrypted between your device and the Google servers, as well as when Google moves your email between its own data centers.  Google does not encrypt your emails stored “at rest” on their servers." This seems to conflict with the gizmodo article I mentioned earlier.

 

Who do you trust to have the real information? Who do you trust handling your information? Email has never been private, just like telephone calls. That's why you never ever send any personal information, passwords, credit card numbers or anything else without encrypting them yourself. I believe Yosemite will allow this to be done within Mail on an email by email basis. I used an email encryption service for years at work and we had documented policy on what types of data could be sent without encryption. Using this process was and might still be the only way to keep others from reading you email.

 

update: I'm not sure how much of the ADC NDA Apple changed but so much was announced via the keynote and all the WWDC videos were available to everyone so I'll assume most of what I'm saying is not covered under the NDA.

 

I checked Yosemite Mail and you can now set an encryption certificate to encrypt and decrypt emails regardless of whether the email service you're using encrypts them. Of course, you'll need to get a certificate from a trusted certificate authority (CA) and most of these cost money but you'll be able to maintain encryption at least between people who also can decrypt your email (maybe Apple will be providing this service or using your iCloud certificate, I don't know the answer to this). These people will need part of your certificate so both ends know the identity of the other one but this is how we used Entrust at work. Once the email has been sent, it stays encrypted until it gets to the destination and the recipient decrypts it. With Macs, this can be done automatically in Mail and some other email clients using the Keychain. Apple's CoreCrypto modules have been certified but who knows whether NSA has some kind of master decryption key. They shouldn't but we'll probably never know.


Edited by rob53 - 6/13/14 at 5:47pm
post #15 of 33
Quote:
Originally Posted by AppleInsider View Post

Specifically, the group looks wants companies to use HTTPS, HSTS , forward secrecy, STARTTLS, and encryption of email while in transit.

I also "looks wants" the companies to use HTTPS, (buzzwords, et al). lol.gif

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #16 of 33
Quote:
Originally Posted by rob53 View Post
 

Google does not encrypt your emails stored “at rest” on their servers.

 

 

 

That says it all. The fact they encrypt while it's in transport  doesn't mean much. NЅА can still get it.

post #17 of 33

Am now totally Goolies free. Start Page piggybacks off Google to send out your requests so no tracking takes place and a little kick is given to the tender parts of Goolies. SP is working on Mail but will cost a bit. Meanwhile, mail.com is my preference and the adds don’t bother me though for a little coin, they are excluded.

One of the best encrypted mail accounts is RiseUp but it takes a while to be accepted unless you have a couple cronies already using RU. Won’t know how good it is till I get accepted.

 

Where there is will and disgust man’s search for a better world truly continues to trod on (such evils as previously thrice mentioned). And what rot has become Hotmail or whatever be the latest incarnation just sprung by MS (spit). The shovels are hard at work in that quagmire. (No offence meant to honest quagmires.)

When I find time to rewrite the laws of Physics, there'll Finally be some changes made round here!

I am not crazy! Three out of five court appointed psychiatrists said so.

Reply

When I find time to rewrite the laws of Physics, there'll Finally be some changes made round here!

I am not crazy! Three out of five court appointed psychiatrists said so.

Reply
post #18 of 33
Quote:
Originally Posted by genovelle View Post

You should take the time to read their user agreement. They were called on this and admitted they scan your emails "to provide better service". Apple can't even open your iMessage files.

Scanning your content for an automated system to supply targeted ads does't means there is no protection on their servers.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #19 of 33
Quote:
Originally Posted by SolipsismX View Post


Scanning your content for an automated system to supply targeted ads does't means there is no protection on their servers.

Who cares there's protection when NЅА can get everything without a warrant if you're not from US? And if you are from US, they get it through another FISA warrant.

post #20 of 33
Quote:
Originally Posted by bighype View Post

Who cares there's protection when NЅА can get everything without a warrant if you're not from US? And if you are from US, they get it through another FISA warrant.

You're weakening your argument. You first stated that NOTHING on Google's servers are encrypted which means that anyone with access to the server could access your data, usernames, passwords and CC info. So why would the NSA be involved, especially if previously between mail servers it was already sent unencrypted. It sounds like they already were getting what they want.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #21 of 33
Quote:
Originally Posted by genovelle View Post


You should take the time to read their user agreement. They were called on this and admitted they scan your emails "to provide better service". Apple can't even open your iMessage files.

You realise that almost every email provider scans your emails "to provide better service" in the form of a spam filter, right?

 

As of 2013, Apple was filtering emails based on potentially spammy phrases and silently deleting them, rather than moving them to a spam folder a la Gmail:

http://www.imore.com/apple-filtering-emails-contain-certain-objectionable-phrases

post #22 of 33
Quote:
Originally Posted by SolipsismX View Post

You're weakening your argument. You first stated that NOTHING on Google's servers are encrypted which means that anyone with access to the server could access your data, usernames, passwords and CC info. So why would the NSA be involved, especially if previously between mail servers it was already sent unencrypted. It sounds like they already were getting what they want.
You are right Google's servers are heavily encrypted (it's even encrypted during transit between servers why wouldn't it be on the server itself). The data between web browser and web server on Google websites is encrypted with an 2048 bit key. And Gmail has a good encryption record both between Gmail accounts and in-transit. BTW Google also launched an interesting Chrome extension earlier this month (in alpha at this moment in time) to allow for local end-to-end encryption for emails.
https://code.google.com/p/end-to-end/
post #23 of 33
Quote:
Originally Posted by SpamSandwich View Post
 

This will also have the effect of undermining Google's ability to scan e-mails and integrate targeted ads. Go Apple!

No it won't. The encryption in question is between servers. Google has access to the unencrypted copy of gmail, obviously. On its own gmail servers it can scan and insert ads all it wants to.

post #24 of 33
Quote:
Originally Posted by DarkLite View Post

You realise that almost every email provider scans your emails "to provide better service" in the form of a spam filter, right?

As of 2013, Apple was filtering emails based on potentially spammy phrases and silently deleting them, rather than moving them to a spam folder a la Gmail:
http://www.imore.com/apple-filtering-emails-contain-certain-objectionable-phrases

Unfortunately they still have a long ways to go to catch up with Gmail.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #25 of 33

There's a difference between end to end encryption and point to point encryption.

You and your recipient(list) need to work to get end to end encryption.

No provider can do that, unless you're on the same platform.

 

point to point encryption... just makes it harder to read in transit... therefore the attack must occur on/in/behind one or both of the 'points.'

 

There is no reason to believe that encryption at rest means google can't read data.

 

It may make it hard[er] for the standard admin to access your  mail, but google is able to decrypt and read all your mail whenever they want through the keys their servers have - unless _you_ encrypted it before it's stored on their machines (which is about every 3 seconds in gmail draft mode). 

 

If Google can respond to a subpoena providing them your email, you're email is not encrypted so Google can't read it.

Same for them doing postini spam/anti-malware checks on your email

Or scanning for adwords.

post #26 of 33
Quote:
Originally Posted by SolipsismX View Post


Unfortunately they still have a long ways to go to catch up with Gmail.

 

Gmail sucks...end of story! I switched away from them a couple years ago.  I wouldn't trust Google any further than I can throw them. 

post #27 of 33
Quote:
Originally Posted by Chipsy View Post


(it's even encrypted during transit between servers why wouldn't it be on the server itself).
Google also launched an interesting Chrome extension earlier this month (in alpha at this moment in time) to allow for local end-to-end encryption for emails.
https://code.google.com/p/end-to-end/

because on the server it has to do what servers do: provide services.   Even between MTAs, it decrypts the message from the sender, and 'routes' it.  It knows sender and reciever, it sees all the headers. It has to know if it has to put it in your mail store.  If it does, and you're using default settings, it will 'scan' your message for it's postini rules for spam, malware, etc.   It can't do that unless it decrypts.

 

Open PGP takes work by the end users to implement. the 1% of the internet that cares about this, already does this, without the Chrome Extension.  The 99% who can't or don't, won't.   At best, it makes google's internal mail harder to intercept, and better, harder to respond to in Subpoena [Emails between Eric and Sergey and Larry are encrypted and we don't have the keys... sorry - Google Legal].

post #28 of 33
Quote:
Originally Posted by TheOtherGeoff View Post

...posting...

Wiki
Quote:
Postini is an e-mail, Web security, and archiving service owned by Google since 2007. It provides cloud computing services for filtering e-mail spam and malware (before it is delivered to a client's mail server), offers optional e-mail archiving, and protects client networks from web-borne malware.

Learn something everyday; thanks.
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
post #29 of 33
Quote:
Originally Posted by bighype View Post
 

Google encrypts traffic between your browser and their servers. They also encrypt traffic between their servers. But Google DOES NOT encrypt anything they store on their servers! NOTHING!

 

 

 

Fun fact #1–

Email is typically only encrypted in transit, where it is considered "more vulnerable" to 3rd party eavesdropping.

 

Fun fact #2–

Typically, mail on the server is not encrypted by ANY service.  Or by companies, schools, or otherwise.  That is the norm.  It is generally too computationally expensive to encrypt the entire mail server database, and expect performance from said mail server.  (Witness, for example, reports of even security firms getting hacked, and all their internal emails are leaked to the Internet).  The fact Google is offering encryption for business subscribers is actually impressive.  *If* a company or organization IS encrypting the entire mail database (which can often be measured in terabytes), they probably have a very good reason to do so.

 

Fun fact #3–

Even if the database was encrypted, it may not matter depending on how the hacker managed to hack into the server.  i.e. if they hack the process that has access to the DB, they can still read its mail, regardless of if it was encrypted or not.

 

Fun fact #4–

Mail on you own personal computer (Mac or Windows, Mac Mail or Outlook or what have you), is ALSO not encrypted. (Unless you enabled FileVault on your Mac, or BitLocker on Windows).  Even if you did enable full-drive encryption in your operating system– depending on how the hacker hacked into your system (say, for example, he implanted a Remote Access Tool), he might have access to all your files anyway (including mail).

 

 

Fact is, there's plenty of ways for your mail to be intercepted.  And as others have pointed out– if it's truly sensitive data, you don't want to send it via email. For example, our corporate policy is that you cannot send credit card information over email, when purchasing something.

 

-Rick

post #30 of 33
Quote:
Originally Posted by TheOtherGeoff View Post


Open PGP takes work by the end users to implement. the 1% of the internet that cares about this, already does this, without the Chrome Extension.  The 99% who can't or don't, won't.   At best, it makes google's internal mail harder to intercept, and better, harder to respond to in Subpoena [Emails between Eric and Sergey and Larry are encrypted and we don't have the keys... sorry - Google Legal].
Google is going to make OpenPGP a whole lot easier and more widely available.
http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html
"Today, we’re adding to that list the alpha version of a new tool. It’s called End-to-End and it’s a Chrome extension intended for users who need additional security beyond what we already provide.

“End-to-end” encryption means data leaving your browser will be encrypted until the message’s intended recipient decrypts it, and that similarly encrypted messages sent to you will remain that way until you decrypt them in your browser.

While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools."
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #31 of 33
I presume a Chrome Extension is designed for the Chrome Browser. If so, I don't think many people here use that.
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
post #32 of 33
Quote:
Originally Posted by PhilBoogie View Post

I presume a Chrome Extension is designed for the Chrome Browser. If so, I don't think many people here use that.

AI members may not, but they wouldn't be representative of the average user. 1smile.gif In fact in the overall market Chrome may be the leading browser.

http://www.sitepoint.com/browser-trends-may-2014-chrome-exceeds-expectations/
What about iOS users? "...but Chrome looks set to overtake Safari on iOS shortly."
Edited by Gatorguy - 6/16/14 at 10:34am
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #33 of 33
Quote:
Originally Posted by Gatorguy View Post

Quote:
Originally Posted by PhilBoogie View Post

I presume a Chrome Extension is designed for the Chrome Browser. If so, I don't think many people here use that.

AI members may not, but they wouldn't be representative of the average user. 1smile.gif In fact in the overall market Chrome may be the leading browser.

In spite of IE most likely being the default on corporate PC's, I'm not surprised to see such a high percentage from Chrome. Especially how crappy FF has become.
Quote:
http://www.sitepoint.com/browser-trends-may-2014-chrome-exceeds-expectations/
What about iOS users? "...but Chrome looks set to overtake Safari on iOS shortly."

1) strange that Safari on iPad has an even bigger share than Safari on the desktop

2) strange that they don't have any number on Safari for the iPhone nor for the iPod touch

3) funny that there are still people on IE6
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iCloud
  • Apple will soon encrypt iCloud emails in transit between service providers
AppleInsider › Forums › Mobile › iCloud › Apple will soon encrypt iCloud emails in transit between service providers