Google last week announced that it is developing features for Gmail that will notify them when they get messages through a nonencrypted connection.
It’s doing this because of continuing issues with email security.
Regions of the Internet are preventing message encryption by tampering with requests to initiate Secure Sockets Layer connections, and malicious DNS servers are publishing fake routing information to email servers looking for Gmail, a study conducted by Google and researchers at the universities ofIllinois at Urbana-Champaign andMichigan has found.
These threats don’t affect communication between Gmail users, but they may impact messaging between providers, Google said.
Warning Gmail users that they’re getting email from malicious DNS servers is a little like telling someone a burglar is at the door — it won’t help apprehend the burglar.
“Yes, but he may not open the door,” remarked Rob Enderle, principal analyst at the Enderle Group.
“This is part of a multistep process, not a final solution,” he told the E-Commerce Times.
The warning “will help in cases where hackers try to perform DNS poisoning while trying to infect or phish users visiting well-established websites,” security consultantSorin Mustaca said.
The features will be rolled out in the coming months.
Email Security Issues
While 82 percent of the more than 700,000 SMTP servers associated with Alexa’s top 1 million domains support Transport Layer Security, only 35 percent are configured properly to allow server authentication, the researchers found, and only 1.1 percent specify a DMARC authentication policy.
Simple Mail Transfer Protocol doesn’t authenticate senders or encrypt mail in transit, and it supports these features through voluntary protocol extensions, so unprotected communications exist.
Further, when mail servers do specify Sender Policy Framework policies, 29 percent are overly broad, covering tens of thousands of addresses, the researchers found.
These problems allow the downgrading of TLS connections in favor of cleartext and the falsifying of mail exchanger records to reroute messages, impacting user security.
More than 41,000 SMPT servers in 193 countries can’t protect email from passive eavesdroppers because of corruption of the STARTTLS protocol extension on the network, the researchers said. In seven countries, more than 20 percent of inbound Gmail messages are prevented from being encrypted and rendered in cleartext by network attackers. This allows attackers to intercept and observe email.
Some 14,600 publicly accessible domain name system servers in 69 countries are providing fraudulent addresses for Gmail’s SMPT servers, they found.
SMTP doesn’t have a mechanism to indicate that mail should be protected by TLS, and when TLS is used, there’s no robust way for a sender to verify the authenticity of the recipient email server.
Google and other email providers are working on protecting people impacted by STARTTLS corruption, Enderle said.
Assessing the Problem
Going with TLS is not necessarily the answer because “many emails would not reach their destination if the destination servers don’t support TLS,” security consultant Mustaca told the E-Commerce Times.
Emails continue to be delivered because of opportunistic encryption. “Servers first try to establish a TLS connection and, if they don’t succeed, they continue communicating on unencrypted connections,” he explained.
“The security landscape is very fragmented and very discombobulated with regard to encryption,” said Paul Ferguson, a threat research advisor atTrend Micro. “There doesn’t seem to be a lot of coherency, to the point where end users are confused and don’t know how to properly protect themselves.”
Encryption in email “is not fully baked and is fragmented at various levels of the protocol stack,” he told the E-Commerce Times. Users can encrypt their email with Pretty Good Privacy, but “then it runs across unencrypted paths.”
The main problem with email security is lack of awareness, Ferguson said, but, “as more data breaches occur and more personally identifiable information is stolen, that may change.”
Warning Gmail users of incoming unencrypted emails tackles only the client side of the problem; there are issues in other areas, including server-to-server communications, where TLS applies and in certificate authority architecture, he said. “We have a disorganized technology space that doesn’t serve the end user very well.”