From darkreading.com
Google Study
Finds Email Security A Mixed Bag
The use of encryption and authentication
mechanisms by Google, Yahoo, and Microsoft has improved security -- but
problems remain.
Google will soon start warning Gmail users of potential
security risks when they receive an email from a non-encrypted connection. The
warnings are scheduled to roll out in the next few months and are designed to
push industry-wide adoption of strong encryption and authentication
technologies for email.
Google’s move stems from a
multi-year study conducted
by researchers at Google, the University of Michigan, and the University of
Illinois at Urbana Champaign, that surfaced mixed news on the email security
front.
The
researchers examined Simple Mail Transfer Protocol (SMTP) server configurations
on the Alexa list of top million domains as well as one year’s worth of SMTP
data from emails sent and received via Gmail.
SPONSOR VIDEO, MOUSEOVER FOR SOUND
The
study showed that email security overall has improved significantly over the
past two years mostly because of the broad adoption of encryption and
authentication standards by Google, Yahoo, and Microsoft, the three biggest
providers of email services.
However,
a vast majority of the SMTP servers that other organizations use for sending
and relaying email lag significantly behind in the use of Transport Layer
Security (TLS) and other security mechanisms for protecting email, thereby
exposing users to security risks.
The
researchers found that incoming messages at Gmail that were protected by TLS
jumped from 33% to 61% between December 2013 and October 2015. Similarly, the
proportion of TLS-encrypted messages sent from Gmail to non-Gmail addresses
increased from 60% to 80% in the same period, showing that a lot more domains
support encrypted email compared to two year ago.
But
when the researchers examined SMTP server configurations belonging to domains
in the Alexa list of top million websites, they found a different story. Only
82% on the list, for instance, support TLS, and just 35% are configured to
allow server authentication, the researchers noted. The relatively low adoption
is likely because two of the top three SMTP platforms don’t support TLS by
default, they added.
A
similar gap in security capabilities exists with regard to email sender
authentication. For instance, while Google uses a combination of mechanisms
like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) to
validate inbound messages, only 47% of those in the Alexa list had a similar
capability. A bare 1% use Domain-based Message Authentication, Reporting &
Conformance (DMARC) for authenticating senders.
The
security patchwork offers attackers an opportunity to intercept and snoop on email
and do other kinds of damage, the report noted
In a blog post Friday, Elie Bursztein, a member of Google’s
anti-fraud and abuse team, and Nicolas Lidzborski, security engineering lead
for Gmail, noted a couple of the challenges created by the inconsistent
application of email security standards across the industry.
“First,
we found regions of the Internet actively preventing message encryption by
tampering with requests to initiate SSL connections,” the two Googlers said.
Google is currently working with members of the Messaging Malware Mobile
Anti-Abuse Working Group (M3AAWG) to strengthen what the two researchers
described as ”opportunistic TLS” to mitigate the threat.
“Second,
we uncovered malicious DNS servers publishing bogus routing information to
email servers looking for Gmail. These nefarious servers are like telephone
directories that intentionally list misleading phone numbers for a given name,”
the two researchers said. Google’s goal in warning Gmail users about
unencrypted connections is to alert them to such dangers, they said.
===========================================================
**Important note** - contact our sister company for very powerful solutions for IP management (IPv4 and IPv6, security, firewall and APT solutions:
www.tabularosa.net
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” will be published soon follow by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio Additionally, I provide content for an online newsletter via paper.li. I have also established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. Further, I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and have been a contributor to numerous blogs and publications.
Lastly, I
am the founder and president of Tabula
Rosa Systems, a company that provides “best of breed” products for network,
security and system management and services. Tabula Rosa has a new blog and Twitter site which offers great IT
product information for virtually anyone.
==============================================
No comments:
Post a Comment