前陣子在「STARTTLS 的不完整性以及大規模監控電子郵件」提到現有的標準無法確保 ESMTP 一定會啟用 STARTTLS。所以 Google 正在跟 M3AAWG 研究標準來保護這類攻擊:
First, we found regions of the Internet actively preventing message encryption by tampering with requests to initiate SSL connections. To mitigate this attack, we are working closely with partners through the industry association M3AAWG to strengthen “opportunistic TLS” using technologies that we pioneered with Chrome to protect websites against interception.
另外一方面,Google 之後也會將未透過 STARTTLS 傳輸的信件標示出來:
To notify our users of potential dangers, we are developing in-product warnings for Gmail users that will display when they receive a message through a non-encrypted connection. These warnings will begin to roll-out in the coming months.
Google 的文章可以在「New Research: Encouraging trends and emerging threats in email security」這邊看到。
我的想像是 DNSSEC + TXT record 標示,不知道會不會走這條...