Communications of the ACM
Email Encryption Is Broken
Sizable portions of email traffic are either being sent without encryption or are being deliberately stripped of it, according to a study of global adoption rates of email security extensions.
Credit: Sbastien Launay/Flickr
Technology designed to encrypt and authenticate emails is ineffective because sizable portions of email traffic are either being sent without encryption or deliberately stripped of it, according to a new U.S. study on global adoption rates of email security extensions.
One of the report's few positive findings is "from Gmail's perspective, incoming messages protected by [Transport Layer Security (TLS)] have increased 82 percent over the last year," largely because big providers are encrypting traffic. However, only 82 percent of the 700,000 SMTP servers associated with the top 1 million domains support TLS, while only 35 percent permit appropriate server authentication.
Mass-scale attacks in which STARTTLS sessions had their encryption removed also were observed, with "the distribution...spread over networks owned by governments, Internet service providers, corporations, and financial, academic, and healthcare institutions."
The researchers estimated more than 20 percent of email is being sent in cleartext in seven nations, and they warn the stripping method "results in messages being sent in cleartext over the public Internet, enabling passive eavesdropping and other attacks."
Suggested solutions include implementing the equivalent of an HTTP Strict Transport Security for email. Researcher Frederic Jacobs says such a solution is undergoing standardization, but adoption is slow.
From Motherboard
View Full Article
Abstracts Copyright © 2015 Information Inc., Bethesda, Maryland, USA
No entries found