Screen Shot 2014-06-13 at 1.54.17 PM

Following the publication of an NPR article detailing the security of major email services, Apple has informed the network that it is working on an update to its iCloud Mail service that encrypts emails in transit from other providers. As of right now, iCloud emails are solely encrypted in transit from one iCloud email account to another, but an email sent from iCloud to Gmail or Yahoo (as examples) or vice versa is not currently encrypted. This is what will change:

Apple encrypts e-mail from its customers to iCloud. However, Apple is one of the few global email providers based in the U.S. that is not encrypting any of its customers’ email in transit between providers. After we published, the company told us this would soon change. This affects users of me.com and mac.com email addresses.

The enhancement will come into effect “soon,” but Apple is not more specific than that on the timeframe. While the quote above oddly does not specify icloud.com addresses, that newer Apple email domain likely falls into the same category as me.com and mac.com. The lack of end-to-end iCloud Mail encryption with Gmail, for example, is shown on Google’s data protection transparency website:

Screen Shot 2014-06-13 at 1.39.44 PM

The chart indicates that only inbound emails are encrypted, but outbound are not via iCloud. It is likely that Apple will need to work with Gmail and other email providers to provide complete in-transit email encryption. Apple currently provides end-to-end encryption for services such as iMessage and FaceTime and the Electronic Frontier Foundation has even lauded Apple with 5 out of 5 stars for its customer online data protection.

Apple has published transparency reports indicating the security of its iOS and OS X operating systems and various cloud services. These reports have come in response to government surveillance allegations over the past year. Apple also details specifics about its strong iCloud encryption offerings on its support website:

Screen Shot 2014-06-13 at 1.51.54 PM

NPR, however, also notes that Apple has some work to do on encrypting some of its other cloud-based services, but these lapses in security are not nearly as severe as the lack of end-to-end iCloud email encryption between providers:

We found that many app installations and iOS updates are sent unencrypted to iPhones. The configuration files that let your telecom company control aspects of how your iPhone works is also unencrypted. Apple says these updates are authenticated and can’t be changed. All pre-login browsing/shopping traffic from the Apple Store is unencrypted, including all HTML content, images, etc. So if you are a huge Abba fan the NSA could find out.

Later this year, Apple will be rolling out OS X 10.10 Yosemite and iOS 8 with further security improvements for both consumers and enterprise users. iOS 8 will include Touch ID enhancements for developers while Yosemite will include a new Mail Drop feature for encrypting email attachments up to 5GB in size via iCloud. We have reached out to Apple for more clarity on the future iCloud email encryption improvements.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

13 Responses to “Apple: We’ll ‘soon’ begin encrypting iCloud email in transit between providers”

  1. exapple says:

    Fun fact: The names you see in demo screens, like the ones here (“Natalie Maric”, “Simon Pickford”, etc.) are Apple employees in the Marketing Communications (Marcom) group. They sign releases to have their names used, and get a kick out of seeing their name “in lights”. Just for kicks, go to LinkedIn and search these names. You’ll see many of them showing up as Apple creatives.

  2. I know it’s not currently a problem due to the way the rest of the system is constructed, but they really need to stop using elliptic curve also (If the NSA allows it).

  3. Umm, no one else encrypts outbound email either unless it’s a feature you turn on or install. “one of the few” sounds like total garbage to me. Standard email has never been secure. Period.

    • Actually most major email providers encrypt email that is exchange between providers. The individual emails might not be encrypted but the transfer is. Very similar to HTTPS. Its called SMTPS.

      http://en.wikipedia.org/wiki/SMTPS

      There is a difference between encrypted transfers and encrypted data @ rest. You’re correct that just about no one encrypts email that sits on servers. The reason being that you need a good way to exchange keys between sender and receiver. Something that used to be very tedious to achieve. It would be great to see Facebook, Apple, Google, Microsoft and Yahoo, create a key exchange. That would cover a huge percentage for Sender Receiver connections.

    • fjpoblam says:

      Hear, hear!

    • standardpull says:

      Why isn’t Google saying that? Oh yeah, marketing.

      Encrypting traffic between mail servers in NO WAY secures email.

    • They are referring to mail being transferred from server-to-server. The connections between servers are encrypted, not the e-mail itself.

      This is common on mail servers now. Enabling involves configuring a TLS certificate and enabling the STARTTLS SMTP extension. This is easy to do for small sites, but I imagine it’s a big deal on something the size of iCloud. But still. They should have done it years ago.

  4. John Smith says:

    I really don’t see NSA as a realistic threat to me. Are they really going to transfer an analyst from reading emails coming out of Syria to reading emails I’m writing?

    So what does this latest move gain me?

    I suppose if it offered an adequate level of security (and I’m not sure it does) then I could use email for sensitive info like credit card details.

    In reality, if I send an email from an apple account to a contact on gmail, the only people intercepting the email are likely to be google.

  5. @icloud is the default name for iCloud email. They are saying that it effects @me and @mac addresses as well – for those of us who still prefer to use the old style addresses.

  6. Winski says:

    Me.com and mac.com are very old domains. SO, if Apple uses these to ‘test’ end-to-end then the number of major hiccups could be avoided… Turn it on and it breaks for days, THAT’S a great way to alienate millions forever !!