If you have started seeing a little red padlock in your Gmail email, don’t freak out, even if the red padlock is open. All that it means is that the sender didn’t use transport layer security (TLS) when sending it – in other words, it simply means that the email is not encrypted.
In this context, Transport Layer Security (TLS) refers to the encryption of the email while it is in transit, between the sender and the receiver. So, from the moment that the person emailing you hit ‘send’ to the moment that you opened the email (at which point it was decrypted so that you could read it).
Of course, people seem to be thinking a lot more about encryption these days, since the Feds versus the Apple iPhone thing that has been in the news lately.
Gmail is doing their part by making it more obvious when an email was sent encrypted and when it wasn’t, and when an email that you send isn’t going to be encrypted along the way after you send it. Gmail first announced this on their blog last month, but people are only just starting to really notice that little red padlock.
For this encryption to work, both the sending and the receiving email systems have to support it (otherwise you could send an encrypted email, but there would be no way for it to be decrypted on the other end). So if the little red padlock in an email you received is open, it simply means that the sender’s email system doesn’t support TLS encryption.
Similarly, if you see the open red padlock while you are drafting an email to send someone, it means that your email will not be being sent encrypted because the system on the other end (to which you are sending it) doesn’t support the encryption. This means that if someone were to grab your email between the time you hit ‘send’ and the time your intended recipient receives it, that they would be able to read whatever you wrote, because it would still be in the text format that you typed it, rather than being encrypted.
Explains Gmail’s Vivian,
- If you see a red open padlock icon on a message you’ve received, or on one you’re about to send, it means that the message may not be encrypted.
If you see the red padlock while composing a message… don’t send confidential material, like tax forms or contracts, to that email address.
If you see the red padlock when viewing a received message… this message was sent unencrypted. In most cases, there’s nothing you can do. If it contained particularly sensitive content, you should let the sender know and they can contact their email service provider.
She goes on to explain that “If the person you’re emailing with is using an email service that doesn’t encrypt all messages using a system called Transport Layer Security (TLS), their emails might not be secure, even though Gmail will encrypt whenever possible. For delivery TLS to work, the email delivery services of both the sender and the receiver always have to use TLS.”
At the same time that Gmail rolled out their red padlock, they also announced another (and to our mind more useful) icon: the question mark (“?”) in place of an avatar for a sender when the sender’s email does not authenticate.
Email authentication is the mechanism by which an email sending system proves that it really is who it says that it is. For example, if the email appears to come from firstname.lastname@example.org, you can prove that it actually came from yahoo.com, and isn’t some spammer or scammer faking the yahoo.com address.
Typically, there will be a little avatar (picture) next to the sender’s name. This is often the sender’s profile picture, or another image that they have chosen for their avatar. If they haven’t picked one, then Gmail will insert one of those generic “wasn’t here during school pictures” images.
But if the sender’s email cannot be authenticated, there will be a question mark in place of the avatar.
We say that we think this icon is more useful for a couple of reasons. First, there are lots of senders who do not use encrypted email. Generally speaking, at this point in time, senders who use encrypted email are in the minority. In fact, we have never seen an email in Gmail without the little red padlock.
Oh the other hand, email authentication should be being used by all legitimate email senders at this point in time, and generally speaking, is. Most (not all, but most) email that does not authenticate properly is email that should be viewed with suspicion. There are cases where legitimate senders don’t have authentication set up properly, but even there, if the question mark gives you pause, and causes you to take an extra moment to check out whether their email is legitimate, that’s not a bad thing.
|Get notified of new Internet Patrol articles! |
You might also like some of our other articles: