Email security improving, but far from perfect

11/18/2015 August Schiess, CSL

A new report from CSL Associate Professor Michael Bailey finds many email servers still do not support important security protocols and therefore face vulnerability from hackers.

Written by August Schiess, CSL

Email security helps protect some of our most sensitive data: password recovery confirmations, financial data, confidential correspondences, and more. According to a new report, published by CSL Associate Professor Michael Bailey in collaboration with colleagues at the University of Michigan and Google, email security is significantly better than it was two years ago, but still has widespread issues. 
The networking protocols that underlie today’s Internet were not originally built to be secure—it was only years later that security protocols were “bolted on” to the existing systems. However, despite there being measures in place to solve these security issues, each individual email server has the choice whether to adopt these protocols. Email security in the past two years has improved because companies like Google now use these protocols, but there are many other servers that do not.
“Much of the measurement work done in my lab is focused on how we can incentivize an individual or an organization to make a right decision—to adopt these security protocols,” said Bailey, a member of the ECE Illinois faculty. “A lot of the interesting work in security goes beyond not only modeling the technology, but modeling the organizations that use that technology and how they choose to use it.” 
In addition to measuring the adoption of email security protocols at scale, Bailey and his team also highlighted some of the implications of “bolted on security” in today’s email. For example, because the protocols that govern email-server-to-email-server communication were originally not designed to support encryption, a command called STARTTLS was later added that allowed two email servers to negotiate a secure connection. However, because this command can only be issued after two email servers begin communicating in an insecure fashion, an attacker can corrupt the STARTTLS command, forcing the email exchange to continue without encryption. 
“We found that there’s a significant number of email exchanges in which there’s an adversary between two mail servers who’s trying to intentionally downgrade the communication,” said Bailey. “For example, pretty much every email server in Tunisia is not safe. In other countries, like Iraq and Nepal, it’s close to 1 in 4 servers that are actively being downgraded.”
While the report provides encouraging news that email security continues to strengthen, the report also serves to remind users that it remains important to understand the limits of privacy in email and on the Internet as a whole. 
“I work under the assumption that any email I send without special care has an Internet-wide distribution list,” says Bailey. “If you want to send a secure email, you must either trust every computer and network your email traverses, or make sure that the email contents are encrypted before it ever leaves your computer.”
 
Email security helps protect some of our most sensitive data: password recovery confirmations, financial data, confidential correspondences, and more. According to a new report, published by CSL Associate Professor Michael Bailey in collaboration with colleagues at the University of Michigan and Google, email security is significantly better than it was two years ago, but still has widespread issues. 
 
Michael Bailey
Michael Bailey
Michael Bailey
The networking protocols that underlie today’s Internet were not originally built to be secure—it was only years later that security protocols were “bolted on” to the existing systems. However, despite there being measures in place to solve these security issues, each individual email server has the choice whether to adopt these protocols. Email security in the past two years has improved because companies like Google now use these protocols, but there are many other servers that do not.
 
“Much of the measurement work done in my lab is focused on how we can incentivize an individual or an organization to make a right decision—to adopt these security protocols,” said Bailey, a member of the ECE Illinois faculty. “A lot of the interesting work in security goes beyond not only modeling the technology, but modeling the organizations that use that technology and how they choose to use it.” 
 
In addition to measuring the adoption of email security protocols at scale, Bailey and his team also highlighted some of the implications of “bolted on security” in today’s email. For example, because the protocols that govern email-server-to-email-server communication were originally not designed to support encryption, a command called STARTTLS was later added that allowed two email servers to negotiate a secure connection. However, because this command can only be issued after two email servers begin communicating in an insecure fashion, an attacker can corrupt the STARTTLS command, forcing the email exchange to continue without encryption. 
 
This graph shows the countries with the highest percentage of emails that were intentionally downgraded by STARTTLS modification during April 20-27, 2015.
This graph shows the countries with the highest percentage of emails that were intentionally downgraded by STARTTLS modification during April 20-27, 2015.
This graph shows the countries with the highest percentage of emails that were intentionally downgraded by STARTTLS modification during April 20-27, 2015.
“We found that there’s a significant number of email exchanges in which there’s an adversary between two mail servers who’s trying to intentionally downgrade the communication,” said Bailey. “For example, pretty much every email server in Tunisia is not safe. In other countries, like Iraq and Nepal, it’s close to 1 in 4 servers that are actively being downgraded.”
 
While the report provides encouraging news that email security continues to strengthen, the report also serves to remind users that it remains important to understand the limits of privacy in email and on the Internet as a whole. 
 
“I work under the assumption that any email I send without special care has an Internet-wide distribution list,” says Bailey. “If you want to send a secure email, you must either trust every computer and network your email traverses, or make sure that the email contents are encrypted before it ever leaves your computer.”
 

Share this story

This story was published November 18, 2015.