maxkabakov - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is global email an enterprise email security risk?

Ubiquitous global email is right around the corner. But what effect will it have on enterprises? Expert Michael Cobb explains.

Google recently introduced some language/character changes to make Gmail a more global email service. What are the security benefits of such changes? And what security implications could a global email application/service have on an enterprise?

The Internet is a global phenomenon, yet its standards are still mainly based on the English alphabet --which less than half of the world's population uses. For example, the email address josé is not valid because "josé" contains the letter é. Under RFC 5321, a mailbox name is restricted to a subset of 7-bit ASCII -- special characters like á, é ó, í, among others are not allowed. Most mail servers will simply ignore the é and try to send the email to [email protected] (Domain names are already internationalized under RFC 5890, so the email address [email protected] is valid.)

This can be frustrating for anyone wanting to use their own name in their email address. For example someone called Cristóbal Colón, the Spanish for Christopher Columbus, would have to opt for an email address of [email protected] -- no longer a famous explorer, but a punctuation mark.

To remedy this situation the Internet Engineering Task Force created a new email standard that supports addresses with non-ASCII characters. That was back in 2012, and even though ASCII was surpassed in 2008 by UTF-8 as the most common character encoding used on the Web, users have still been limited to basic Latin characters because every email provider and every website that requires a valid email address during registration needs to adopt the new standard.

Google is the first big email provider to add support for non-Latin characters; Gmail can now correctly handle addresses that contain accented or non-Latin characters. This means Gmail users can send emails to and receive emails from people who have these characters in their email addresses, though as of yet it's not possible to create a Gmail account using accented or non-Latin characters.

There are security implications, however, as support for non-Latin characters will make it easier for phishers to spoof people's email addresses.

Let me explain.

ASCII has several pairs of characters that look alike: for example, the capital letter O and the number 0, lowercase l and uppercase I. There is little or no difference in the glyphs for these characters in most fonts, but computer systems treat them differently when processing them. For example, the ASCII code for capital I is 73 but the code for lowercase l is 108. Spoofing attacks based on these similarities are known as homograph spoofing attacks. It is similar to typosquatting, where an attacker registers a domain such as, but whereas this relies on natural human typos, homograph spoofing intentionally deceives users by using visually indistinguishable names.

Unicode incorporates numerous writing systems and increases the number of similar-looking characters such as the Greek Ο, Latin O and Cyrillic О. As a result, a cybercriminal or hacker working for a nation state could construct email addresses that recipients would believe are from a trusted friend or colleague such as а[email protected] instead of [email protected] -- the first address uses the Unicode character U+0430, the Cyrillic small letter a and not the Unicode character U+0061, the Latin small letter a.

Google is preempting the possibility of hackers trying to take advantage of Unicode homograph attacks against the email username by updating its Gmail spam filter to make targeted phishing attacks more difficult by rejecting emails with addresses that use suspicious character combinations. What's classified as suspicious is based on specifications set by the Unicode Consortium, which establishes computing industry standards for the consistent representation and handling of text expressed in most of the world's writing systems.

Although other webmail providers are likely to watch whether globalizing Gmail brings Google more users and impacts their own user numbers before introducing more language localization themselves, internationalization is definitely happening. To counter this increased risk of Unicode homograph attacks, sites and users can use digital certificates so others can validate the domain of the site they are visiting and verify the sender of incoming emails.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Don't miss the latest email security news and advice from SearchSecurity

This was last published in May 2015

Dig Deeper on Email and Messaging Threats-Information Security Threats