Google has partnered with University of Michigan and the University of Illinois, and they have been trying to discover, for the last couple of years, how email security has evolved.
The researchers have been collecting data regarding the adoption of SMTP security extensions (STARTTLS, SPF, DKIM, and DMARC), both by checking the Alexa Top Million domains’ SMTP server configurations, and SMTP connections to and from Gmail.
“The SMTP protocol is responsible for carrying some of users’ most intimate communication, but like other Internet protocols, authentication and confidentiality were added only as an afterthought,” they explained.
But even though the use of secure mail technologies has risen considerably over the past years, much of this growth is due to top mail providers such as Gmail, Yahoo, and Outlook, and many smaller organizations are still trying to catch up – both when it comes to deployment and proper configuration.
Their research also uncovered new security challenges, and Google has been working on mitigating them.
“First, we found regions of the Internet actively preventing message encryption by tampering with requests to initiate SSL connections. To mitigate this attack, we are working closely with partners through the industry association M3AAWG to strengthen ‘opportunistic TLS’ using technologies that we pioneered with Chrome to protect websites against interception,” Google’s Elie Bursztein and Nicolas Lidzborski shared in a blog post.
“Second, we uncovered malicious DNS servers publishing bogus routing information to email servers looking for Gmail. These nefarious servers are like telephone directories that intentionally list misleading phone numbers for a given name. While this type of attack is rare, it’s very concerning as it could allow attackers to censor or alter messages before they are relayed to the email recipient.”
“While these threats do not affect Gmail to Gmail communication, they may affect messaging between providers,” they explained Google’s particular interest in fixing this problem. “To notify our users of potential dangers, we are developing in-product warnings for Gmail users that will display when they receive a message through a non-encrypted connection. These warnings will begin to roll-out in the coming months.”