Encryption and authentication become part of the webmail UI
Google’s taking some of the user interface techniques it uses to flag insecure Web pages and applying them to email.
The plan: to warn users of Gmail on the Web when they receive emails from people who aren’t using encrypted connections, or if message authentication fails.
The change is outlined on the Gmail blog.
While a Gmail user is protected by TLS encryption, there’s no way for them to know whether the email service they’re sending to or receiving from is also protected.
Google, however, can see that exchange, so if the far-end isn’t encrypted, it is going to start showing users a broken lock.
Name-and-shame: if the email service doesn’t encrypt,
Gmail on the Web will tell you
The second UI flag Gmail is adding covers authentication: while it’s easy to trust an email address you’ve exchanged messages with for a long time (a partner, a boss, an old friend and so on), a lot of messages arrive claiming to be from banks, shops and payment houses.
As Mountain View explains here, it’s a little burdensome for end-users to double-check the details that would let them authenticate messages.
So Google will simply substitute a question mark for the avatar or logo if a message can’t be authenticated.
How an authentication failure will be flagged
A question mark accompanied by the claim that “this is a message from your bank” will, The Chocolate Factory hopes, go a long way to stopping people falling for phishing scams. ®