Email security improving, but far from perfect
Email security helps protect some of our most sensitive data: password recovery confirmations, financial data, confidential correspondences, and more. According to a new report, published by CSL Associate Professor Michael Bailey in collaboration with colleagues at the University of Michigan and Google, email security is significantly better than it was two years ago, but still has widespread issues.
Google now use these protocols, but there are many other servers that do not.
“Much of the measurement work done in my lab is focused on how we can incentivize an individual or an organization to make a right decision—to adopt these security protocols,” said Bailey, a member of the ECE Illinois faculty. “A lot of the interesting work in security goes beyond not only modeling the technology, but modeling the organizations that use that technology and how they choose to use it.”
In addition to measuring the adoption of email security protocols at scale, Bailey and his team also highlighted some of the implications of “bolted on security” in today’s email. For example, because the protocols that govern email-server-to-email-server communication were originally not designed to support encryption, a command called STARTTLS was later added that allowed two email servers to negotiate a secure connection. However, because this command can only be issued after two email servers begin communicating in an insecure fashion, an attacker can corrupt the STARTTLS command, forcing the email exchange to continue without encryption.
While the report provides encouraging news that email security continues to strengthen, the report also serves to remind users that it remains important to understand the limits of privacy in email and on the Internet as a whole.
“I work under the assumption that any email I send without special care has an Internet-wide distribution list,” says Bailey. “If you want to send a secure email, you must either trust every computer and network your email traverses, or make sure that the email contents are encrypted before it ever leaves your computer.”