Google will soon start warning Gmail users of potential security risks when they receive an email from a non-encrypted connection. The warnings are scheduled to roll out in the next few months and are designed to push industry-wide adoption of strong encryption and authentication technologies for email.
Google’s move stems from a multi-year study conducted by researchers at Google, the University of Michigan, and the University of Illinois at Urbana Champaign, that surfaced mixed news on the email security front.
The researchers examined Simple Mail Transfer Protocol (SMTP) server configurations on the Alexa list of top million domains as well as one year’s worth of SMTP data from emails sent and received via Gmail.
The study showed that email security overall has improved significantly over the past two years mostly because of the broad adoption of encryption and authentication standards by Google, Yahoo, and Microsoft, the three biggest providers of email services.
However, a vast majority of the SMTP servers that other organizations use for sending and relaying email lag significantly behind in the use of Transport Layer Security (TLS) and other security mechanisms for protecting email, thereby exposing users to security risks.
The researchers found that incoming messages at Gmail that were protected by TLS jumped from 33% to 61% between December 2013 and October 2015. Similarly, the proportion of TLS-encrypted messages sent from Gmail to non-Gmail addresses increased from 60% to 80% in the same period, showing that a lot more domains support encrypted email compared to two year ago.
But when the researchers examined SMTP server configurations belonging to domains in the Alexa list of top million websites, they found a different story. Only 82% on the list, for instance, support TLS, and just 35% are configured to allow server authentication, the researchers noted. The relatively low adoption is likely because two of the top three SMTP platforms don’t support TLS by default, they added.
A similar gap in security capabilities exists with regard to email sender authentication. For instance, while Google uses a combination of mechanisms like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) to validate inbound messages, only 47% of those in the Alexa list had a similar capability. A bare 1% use Domain-based Message Authentication, Reporting & Conformance (DMARC) for authenticating senders.
The security patchwork offers attackers an opportunity to intercept and snoop on email and do other kinds of damage, the report noted
In a blog post Friday, Elie Bursztein, a member of Google’s anti-fraud and abuse team, and Nicolas Lidzborski, security engineering lead for Gmail, noted a couple of the challenges created by the inconsistent application of email security standards across the industry.
“First, we found regions of the Internet actively preventing message encryption by tampering with requests to initiate SSL connections,” the two Googlers said. Google is currently working with members of the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) to strengthen what the two researchers described as ”opportunistic TLS” to mitigate the threat.
“Second, we uncovered malicious DNS servers publishing bogus routing information to email servers looking for Gmail. These nefarious servers are like telephone directories that intentionally list misleading phone numbers for a given name,” the two researchers said. Google’s goal in warning Gmail users about unencrypted connections is to alert them to such dangers, they said.