Google Study Finds Email Security A Mixed Bag
Google will soon start warning Gmail users of potential security risks when they receive an email from a non-encrypted connection. The warnings are scheduled to roll out in the next few months and are designed to push industry-wide adoption of strong encryption and authentication technologies for email.
Google’s move stems from a multi-year study conducted by researchers at Google, the University of Michigan, and the University of Illinois at Urbana Champaign, that surfaced mixed news on the email security front.
The researchers examined Simple Mail Transfer Protocol (SMTP) server configurations on the Alexa list of top million domains as well as one year’s worth of SMTP data from emails sent and received via Gmail.
SPONSOR VIDEO, MOUSEOVER FOR SOUND
The study showed that email security overall has improved significantly over the past two years mostly because of the broad adoption of encryption and authentication standards by Google, Yahoo, and Microsoft, the three biggest providers of email services.
However, a vast majority of the SMTP servers that other organizations use for sending and relaying email lag significantly behind in the use of Transport Layer Security (TLS) and other security mechanisms for protecting email, thereby exposing users to security risks.
The researchers found that incoming messages at Gmail that were protected by TLS jumped from 33% to 61% between December 2013 and October 2015. Similarly, the proportion of TLS-encrypted messages sent from Gmail to non-Gmail addresses increased from 60% to 80% in the same period, showing that a lot more domains support encrypted email compared to two year ago.
But when the researchers examined SMTP server configurations belonging to domains in the Alexa list of top million websites, they found a different story. Only 82% on the list, for instance, support TLS, and just 35% are configured to allow server authentication, the researchers noted. The relatively low adoption is likely because two of the top three SMTP platforms don’t support TLS by default, they added.
A similar gap in security capabilities exists with regard to email sender authentication. For instance, while Google uses a combination of mechanisms like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) to validate inbound messages, only 47% of those in the Alexa list had a similar capability. A bare 1% use Domain-based Message Authentication, Reporting & Conformance (DMARC) for authenticating senders.
The security patchwork offers attackers an opportunity to intercept and snoop on email and do other kinds of damage, the report noted
In a blog post Friday, Elie Bursztein, a member of Google’s anti-fraud and abuse team, and Nicolas Lidzborski, security engineering lead for Gmail, noted a couple of the challenges created by the inconsistent application of email security standards across the industry.
“First, we found regions of the Internet actively preventing message encryption by tampering with requests to initiate SSL connections,” the two Googlers said. Google is currently working with members of the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) to strengthen what the two researchers described as ”opportunistic TLS” to mitigate the threat.
“Second, we uncovered malicious DNS servers publishing bogus routing information to email servers looking for Gmail. These nefarious servers are like telephone directories that intentionally list misleading phone numbers for a given name,” the two researchers said. Google’s goal in warning Gmail users about unencrypted connections is to alert them to such dangers, they said.
**Important note** - contact our sister company for very powerful solutions for IP management (IPv4 and IPv6, security, firewall and APT solutions:
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” will be published soon follow by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio Additionally, I provide content for an online newsletter via paper.li. I have also established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. Further, I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and have been a contributor to numerous blogs and publications.
Lastly, I am the founder and president of Tabula Rosa Systems, a company that provides “best of breed” products for network, security and system management and services. Tabula Rosa has a new blog and Twitter site which offers great IT product information for virtually anyone.