Researchers Find Large Gaps in Email Security

February 22, 2016

Researchers at The University of Sydney (Australia), ICSI (USA), Data61 (Australia), and the Technical University of Munich (Germany) have found that while email sent between users of major providers is relatively secure, email sent by other providers is poorly protected in transit, with weaknesses in cryptographic setups and authentication.

The researchers examined electronic email and chat, performing active scans of the entire Internet and testing the setups of mail and chat servers. The researchers also analyzed the passive Internet traffic of more than 50,000 users in more than 16 million encrypted communication connections.

The researchers found that less than half of the mail servers supported even basic encrypted communication, and 17 percent used insecure cryptography. Only a third of mail servers can prove their identity securely, meaning that in most cases, a sender cannot determine whether an email is going to reach the right receiver or will be intercepted.

The researchers recommend more measurement of electronic communications and their protocols, and urge software makers to use reasonably secure default configurations.

Their paper, "TLS in the Wild: An Internet-Wide Analysis of TLS-Based Protocols for Electronic Communication," will be presented at the Internet Society's Network and Distributed System Security Symposium in San Diego.

The work is part of the ICSI Networking and Security Group's ongoing study of the state of encryption on the Internet. In 2012, ICSI launched the ICSI Certificate Notary, which collects information about the current use of TLS on the Internet. This year, Networking and Security researchers began working on the National Science Foundation project "Understanding the State of TLS Using Large-scale Passive Measurements" to broaden the understanding of the use and future direction of encrypted communication on the Internet.

Related paper: R. Holtz, J. Amann, O. Mehani, M. Wachs, and M. A. Kaafar. "TLS in the Wild: An Internet-Wide Analysis of TLS-Based Protocols for Electronic Communication." Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, February 2016