Over the past year or so, messaging security and encryption has been increasingly in the spotlight. We now send and receive more data over the Internet than ever before, yet until recently, email messages have been typically transmitted in clear text. This lack of encryption allows any interested party with just a little know-how and some basic equipment to potentially intercept the content therein: they can read personal information, bills, social media notices, birthday invitations, promotional material and even access pictures of loved ones or other sensitive attachments.
In response to this threat, the first best practices document developed by the new M3AAWG Pervasive Monitoring SIG and released earlier this month outlines the immediate steps anyone operating a mail server should take to encrypt sessions used for sending email. “TLS for Mail: M3AAWG Initial Recommendations” focuses on utilizing opportunistic TLS to create secured sessions for server-to-server and intra-network communications as well as email submission from end users. These first steps are of critical importance to protecting users from unwanted eavesdropping and will hopefully lead to heightened security awareness.
M3AAWG formed the new Pervasive Monitoring Special Interest Group to combat the potential for these types of privacy violations by educating our members and the messaging industry to better protect end-users. Some of our first tasks have included preparing collaborative documents defining the issues and outlining some methods for initial remediation.
We have also created a new Pervasive Monitoring Playlist on the M3AAWG YouTube channel at www.youtube.com/maawg. Currently, the playlist includes videos from messaging engineers at both Facebook and Google explaining the importance of turning on opportunistic TLS and a video from the SIG describing the best practices recommendations and our general roadmap moving forward.
We encourage all members, and the community at large, to deploy the initial recommendations in the recent TLS best practices document and to spread the word about why secure messaging is so important for organizations of any type, large and small. We will continue to publish other documents that better explain the threats and possible solutions and we welcome contributions from all M3AAWG members. You can email us through the Contact Us form on the M3AAWG website.
By Alex Brotman, M3AAWG Pervasive Monitoring SIG Co-Chair