Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/13/2015
02:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Google Study Finds Email Security A Mixed Bag

The use of encryption and authentication mechanisms by Google, Yahoo, and Microsoft has improved security -- but problems remain.

Google will soon start warning Gmail users of potential security risks when they receive an email from a non-encrypted connection. The warnings are scheduled to roll out in the next few months and are designed to push industry-wide adoption of strong encryption and authentication technologies for email.

Google’s move stems from a multi-year study conducted by researchers at Google, the University of Michigan, and the University of Illinois at Urbana Champaign, that surfaced mixed news on the email security front.

The researchers examined Simple Mail Transfer Protocol (SMTP) server configurations on the Alexa list of top million domains as well as one year’s worth of SMTP data from emails sent and received via Gmail.

The study showed that email security overall has improved significantly over the past two years mostly because of the broad adoption of encryption and authentication standards by Google, Yahoo, and Microsoft, the three biggest providers of email services.

However, a vast majority of the SMTP servers that other organizations use for sending and relaying email lag significantly behind in the use of Transport Layer Security (TLS) and other security mechanisms for protecting email, thereby exposing users to security risks.

The researchers found that incoming messages at Gmail that were protected by TLS jumped from 33% to 61% between December 2013 and October 2015. Similarly, the proportion of TLS-encrypted messages sent from Gmail to non-Gmail addresses increased from 60% to 80% in the same period, showing that a lot more domains support encrypted email compared to two year ago.

But when the researchers examined SMTP server configurations belonging to domains in the Alexa list of top million websites, they found a different story. Only 82% on the list, for instance, support TLS, and just 35% are configured to allow server authentication, the researchers noted. The relatively low adoption is likely because two of the top three SMTP platforms don’t support TLS by default, they added.

A similar gap in security capabilities exists with regard to email sender authentication. For instance, while Google uses a combination of mechanisms like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) to validate inbound messages, only 47% of those in the Alexa list had a similar capability. A bare 1% use Domain-based Message Authentication, Reporting & Conformance (DMARC) for authenticating senders.

The security patchwork offers attackers an opportunity to intercept and snoop on email and do other kinds of damage, the report noted

In a blog post Friday, Elie Bursztein, a member of Google’s anti-fraud and abuse team, and Nicolas Lidzborski, security engineering lead for Gmail, noted a couple of the challenges created by the inconsistent application of email security standards across the industry.

“First, we found regions of the Internet actively preventing message encryption by tampering with requests to initiate SSL connections,” the two Googlers said. Google is currently working with members of the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) to strengthen what the two researchers described as ”opportunistic TLS” to mitigate the threat.

“Second, we uncovered malicious DNS servers publishing bogus routing information to email servers looking for Gmail. These nefarious servers are like telephone directories that intentionally list misleading phone numbers for a given name,” the two researchers said.  Google’s goal in warning Gmail users about unencrypted connections is to alert them to such dangers, they said. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KhalidK164
50%
50%
KhalidK164,
User Rank: Apprentice
11/16/2015 | 3:02:43 AM
How can I check my email server is safe?
Hi,

We have implmented DKIM on our email server. I'll appreciate your expertise opinion to make the security more solid.

Regards,

 

Khalid
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10102
PUBLISHED: 2019-07-22
The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper Input Validation. The impact is: The attacker can remotely execute any commands by sending malicious http request to the controller. The component is: Method runJavaCompiler in YangLiveCompilerManager.java. The attack vector is: ne...
CVE-2019-10102
PUBLISHED: 2019-07-22
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
CVE-2019-10102
PUBLISHED: 2019-07-22
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections ...
CVE-2019-9959
PUBLISHED: 2019-07-22
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
CVE-2019-4236
PUBLISHED: 2019-07-22
A IBM Spectrum Protect 7.l client backup or archive operation running for an HP-UX VxFS object is silently skipping Access Control List (ACL) entries from backup or archive if there are more than twelve ACL entries associated with the object in total. As a result, it could allow a local attacker to ...