Email encryption is a hot topic right now. A few weeks ago, Google published a report that reveals how much email sent in transit is encrypted and which major providers are taking measures to encrypt their own emails. Then yesterday, the NPR published a more in-depth report (via 9to5Mac) that looks at how well major email providers in the United States are doing at protecting the data of users online.
As it turns out, Apple was among several major email providers failing to properly encrypt its emails sent and received from other providers like Gmail and Yahoo. Following the report, however, the iPhone maker reached out to NPR to confirm that it will be working on encrypting its emails in transit. The company says the change will occur “soon,” but no timeline was provided…
As is stands, Apple only encrypts emails sent between iCloud accounts. NPR writes:
Apple is one of the few global email providers based in the U.S. that is not encrypting any of its customers’ email in transit between providers. After we published, the company told us this would soon change. This affects users of me.com and mac.com email addresses.
The report also revealed some other interesting facts about Apple security measures. While services like iMessage and FaceTime are encrypted end-to-end, there are other areas where Apple falls short. Particularly, NPR determined that many app installations and iOS updates, telecom configuration files and pre-login browsing and shopping traffic on the Apple Store are unencrypted.
We found that many app installations and iOS updates are sent unencrypted to iPhones. The configuration files that let your telecom company control aspects of how your iPhone works is also unencrypted. Apple says these updates are authenticated and can’t be changed. All pre-login browsing/shopping traffic from the Apple Store is unencrypted, including all HTML content, images, etc. So if you are a huge Abba fan the NSA could find out.
Apple is not the only company taking measures to improve its email encryption. Google announced that it is working to make end-to-end encryption easier to use with a Chrome extension, and Comcast also made it clear that it will be working to improve its email encryption. The full NPR report is a worthwhile read that provides a technical look into the technologies like HTTPS and HSTS that Apple employes to keep it customers secure.
Do you use iCloud as your mail provider? If so, how do you feel about this news?