A digital relic courting again to earlier than the start of the Web, e mail was created in 1971 by Roy Tomlinson to electronically ship info on the ARPANET analysis community.
On the time, large-scale, world networks had been only a imaginative and prescient and data security wasn’t a major concern as a result of the networks themselves had been trusted environments. To place this in perspective, ARPANET had 213 linked hosts earlier than it adopted TCP in 1983. At this time there are practically 20 billion nodes on the Web, with upwards of 5 million of them working SMTP servers.
Because the Web shaped, and early protocols had been adopted, e mail developed to be the spine of digital communication. But it surely stays to today one of the insecure and outdated types of communication in an period of more and more refined cyber threats. Now we have achieved away with FTP and Telnet; it’s time to stamp out SMTP.
Phishing has already gained
The overwhelming majority of preliminary compromises in cybersecurity incidents at present start with phishing. We deploy a number of layers of anti-spam and e mail filtering applied sciences, but no answer is ideal, and attackers, who’re getting more and more extra refined, ultimately sneak their malicious emails by way of to worker inboxes.
We additionally proceed to conduct cyber consciousness campaigns and run phishing simulations, and but, vital percentages of staff nonetheless click on on malicious hyperlinks. In 2024, the median time for customers to fall for a phishing e mail was lower than 60 seconds, in accordance with Verizon’s 2025 Data Breach Investigations Report.
The sophistication of email-born assaults mixed with the overwhelming quantity of e mail the common particular person receives — who can blame somebody for falling sufferer? I usually joke to my colleagues that the No. 1 factor we might do to enhance the security of any group is flip off e mail. The battle towards phishing e mail is a shedding battle and it solely takes a single click on for all of your security defenses to be circumvented. We should rethink how we talk electronically.
Finish-to-end encryption stays elusive
E mail continues to be the dominant digital communication software at present as a result of it’s properly understood, comparatively straightforward to make use of, and comparatively cheap. By and enormous, companies have accepted e mail for sending confidential info, and we frequently persuade ourselves that it’s safe, may be secured with third-party instruments, or it’s “adequate.” This merely is just not the case, and higher options exist.
It’s not possible to ensure that e mail is absolutely end-to-end encrypted in transit and at relaxation. Even the place Google and Microsoft encrypt consumer information at relaxation, they maintain the keys and have entry to non-public and company e mail. Stringent server configurations and addition of third-party instruments can be utilized to implement security of the info however they’re usually trivial to avoid — e.g., CC only one insecure recipient or distribution checklist and confidentiality is breached. Forcing encryption by rejecting clear-text SMTP connections would result in vital service degradation forcing staff to search for workarounds. There isn’t a foolproof configuration that ensures information encryption as a result of historical past of clear-text SMTP servers and the prevalence of their use at present.
SMTP comes from an period earlier than cybercrime and mass world surveillance of on-line communications, so encryption and security weren’t inbuilt. We’ve taped on options like SPF, DKIM and DMARC by leveraging DNS, however they don’t seem to be broadly adopted, nonetheless open to a number of assaults, and can’t be relied on for constant communications. TLS has been wedged into SMTP to encrypt e mail in transit, however failing again to clear-text transmission continues to be the default on a major variety of servers on the Web to make sure supply.
All these options are cumbersome for programs directors to configure and preserve correctly, which ends up in lack of adoption or failed supply. We would want Certbot to work as seamlessly for SMTP because it does for HTTP, and for main e mail suppliers equivalent to Google and Microsoft to refuse clear-text connections for there to be any hope of bettering this case. Sadly, there’s a lack of incentive to do that given the quantity of e mail communication disruption it could trigger.
Google lately introduced “end-to-end encrypted emails” in Gmail by using Safe/Multipurpose Web Mail Extensions (S/MIME) inside Gmail. However Google additionally outlines a number of the complexities and downfalls of making an attempt to make use of e mail for safe communications of their submit. Whereas it is a answer that works when sending e mail inside Gmail it suffers the identical points as SMTP in that S/MIME is complicated to setup and tough to ensure when sending to distant programs. Google’s answer is to have recipients outdoors of Gmail click on on a hyperlink and are available again to Googles servers to learn the message over HTTPS. Whereas this can be a suitable answer for Gmail clients and ticks the compliance field it doesn’t repair the underlying points with e mail. S/MIME has not acquired widespread adoption for a similar causes that SMTP+TLS has not. Safety researchers are already speculating how attackers might reap the benefits of this function for crafting phishing emails for credential harvesting.
E mail for authentication: One other shedding battle
Keith Lawson
Add to all this the alarming development of e mail being adopted as an authentication mechanism and an out-of-band software for password resets.
The widespread use of sending a singular hyperlink to e mail accounts is opening assault vectors to essential companies by way of private accounts. Attackers have turn out to be conscious of those developments and are benefiting from with the ability to entry company belongings or delicate private info by compromising staff’ and executives’ private e mail accounts, which regularly lack safe passwords or multi-factor authentication.
As soon as an attacker beneficial properties entry to a private e mail account it’s trivial to seek out proof of programs that use that account for authentication or password resets, ship a password reset although the third-party service, and achieve entry to that service.
If that service is a company system, the attackers have gained entry to your small business by way of an worker’s private e mail, which may be the preliminary compromise that results in a widespread company security breach.
Transferring past e mail
In December 2024, the FBI launched pointers for cell communication that included suggestions to undertake applied sciences that present end-to-end encryption as a direct results of identified nation-state threats.
Persevering with to depend on e mail for essential enterprise capabilities like massive monetary transactions or the sharing of delicate info is a shedding sport. It’s time to start out excited about changing delicate or business-critical communications with trendy applied sciences that help end-to-end encryption and had been developed to make use of safe protocols by default. Functions like Sign depend on protocols that had been designed with robust encryption and make it easy to make sure information is secured in transit. Instruments like Microsoft Groups, Slack, and Cisco Webex have been designed from the bottom up to make use of HTTPS. There are higher alternate options out there at present.
Change is tough and e mail has been entrenched in our private and enterprise lives for greater than a technology now, however we’ve higher alternate options, and the dangers of e mail are too massive to proceed to disregard. Companies want to start out adopting insurance policies that deprioritize e mail as a communications software and incentivize utilizing safer alternate options.
In a world the place cyber threats evolve day by day, counting on e mail is like locking your entrance door however leaving the home windows vast open. Let’s deal with e mail for what it’s. A dependable, well-known software for world communications. Higher instruments for shielding the security of information exist now. Relatively than attempting to retrofit the previous let’s embrace the long run. Is anybody going to be upset at having a number of much less emails of their inbox?
