Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/13/2015
02:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Google Study Finds Email Security A Mixed Bag

The use of encryption and authentication mechanisms by Google, Yahoo, and Microsoft has improved security -- but problems remain.

Google will soon start warning Gmail users of potential security risks when they receive an email from a non-encrypted connection. The warnings are scheduled to roll out in the next few months and are designed to push industry-wide adoption of strong encryption and authentication technologies for email.

Google’s move stems from a multi-year study conducted by researchers at Google, the University of Michigan, and the University of Illinois at Urbana Champaign, that surfaced mixed news on the email security front.

The researchers examined Simple Mail Transfer Protocol (SMTP) server configurations on the Alexa list of top million domains as well as one year’s worth of SMTP data from emails sent and received via Gmail.

The study showed that email security overall has improved significantly over the past two years mostly because of the broad adoption of encryption and authentication standards by Google, Yahoo, and Microsoft, the three biggest providers of email services.

However, a vast majority of the SMTP servers that other organizations use for sending and relaying email lag significantly behind in the use of Transport Layer Security (TLS) and other security mechanisms for protecting email, thereby exposing users to security risks.

The researchers found that incoming messages at Gmail that were protected by TLS jumped from 33% to 61% between December 2013 and October 2015. Similarly, the proportion of TLS-encrypted messages sent from Gmail to non-Gmail addresses increased from 60% to 80% in the same period, showing that a lot more domains support encrypted email compared to two year ago.

But when the researchers examined SMTP server configurations belonging to domains in the Alexa list of top million websites, they found a different story. Only 82% on the list, for instance, support TLS, and just 35% are configured to allow server authentication, the researchers noted. The relatively low adoption is likely because two of the top three SMTP platforms don’t support TLS by default, they added.

A similar gap in security capabilities exists with regard to email sender authentication. For instance, while Google uses a combination of mechanisms like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) to validate inbound messages, only 47% of those in the Alexa list had a similar capability. A bare 1% use Domain-based Message Authentication, Reporting & Conformance (DMARC) for authenticating senders.

The security patchwork offers attackers an opportunity to intercept and snoop on email and do other kinds of damage, the report noted

In a blog post Friday, Elie Bursztein, a member of Google’s anti-fraud and abuse team, and Nicolas Lidzborski, security engineering lead for Gmail, noted a couple of the challenges created by the inconsistent application of email security standards across the industry.

“First, we found regions of the Internet actively preventing message encryption by tampering with requests to initiate SSL connections,” the two Googlers said. Google is currently working with members of the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) to strengthen what the two researchers described as ”opportunistic TLS” to mitigate the threat.

“Second, we uncovered malicious DNS servers publishing bogus routing information to email servers looking for Gmail. These nefarious servers are like telephone directories that intentionally list misleading phone numbers for a given name,” the two researchers said.  Google’s goal in warning Gmail users about unencrypted connections is to alert them to such dangers, they said. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KhalidK164
50%
50%
KhalidK164,
User Rank: Apprentice
11/16/2015 | 3:02:43 AM
How can I check my email server is safe?
Hi,

We have implmented DKIM on our email server. I'll appreciate your expertise opinion to make the security more solid.

Regards,

 

Khalid
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.