Email security has improved significantly in the past two years, but widespread issues remain, according to a report from University of Illinois at Urbana-Champaign professor Michael Bailey in collaboration with colleagues at the University of Michigan and Google.
The report notes networking protocols that underlie the Internet were not originally built to be secure, and security protocols were "bolted on" to the existing systems years later. Such measures are available to address security issues, but each individual server still has the choice whether to adopt the protocols, Bailey and colleagues found.
The study also determined companies such as Google are now using these protocols, which have helped boost email security in recent years, but many other servers do not.
The researchers measured the adoption of email security protocols at scale and also highlighted some of the implications of "bolted-on security." For example, the STARTTLS command is vulnerable to an attack that would force email exchanges to continue without encryption, the researchers note.
"We found that there's a significant number of email exchanges in which there's an adversary between two mail servers who's trying to intentionally downgrade the communication," Bailey says.
From University of Illinois at Urbana-Champaign
View Full Article
Abstracts Copyright © 2015 Information Inc., Bethesda, Maryland, USA