Security by any other name: On the effectiveness of provider based email security

Ian Foster, Jon Larson, Max Masich, Alex C. Snoeren, Stefan Savage, Kirill Levchenko

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Email as we use it today makes no guarantees about message integrity, authenticity, or confidentiality. Users must explicitly encrypt and sign message contents using tools like PGP if they wish to protect themselves against message tampering, forgery, or eavesdropping. However, few do, leaving the vast majority of users open to such attacks. Fortunately, transport-layer security mechanisms (available as extensions to SMTP, IMAP, POP3) provide some degree of protection against network-based eavesdropping attacks. At the same time, DKIM and SPF protect against network-based message forgery and tampering. In this work we evaluate the security provided by these protocols, both in theory and in practice. Using a combination of measurement techniques, we determine whether major providers supports TLS at each point in their email message path, and whether they support SPF and DKIM on incoming and outgoing mail. We found that while more than half of the top 20,000 receiving MTAs supported TLS, and support for TLS is increasing, servers do not check certificates, opening the Internet email system up to man-in-the-middle eavesdropping attacks. At the same time, while use of SPF is common, enforcement is limited. Moreover, few of the senders we examined used DKIM, and fewer still rejected invalid DKIM signatures. Our findings show that the global email system provides some protection against passive eavesdropping, limited protection against unprivileged peer message forgery, and no protection against active network-based attacks. We observe that protection even against the latter is possible using existing protocols with proper enforcement.

Original languageEnglish (US)
Title of host publicationCCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages450-463
Number of pages14
ISBN (Electronic)9781450338325
DOIs
StatePublished - Oct 12 2015
Externally publishedYes
Event22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 - Denver, United States
Duration: Oct 12 2015Oct 16 2015

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
Volume2015-October
ISSN (Print)1543-7221

Other

Other22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
Country/TerritoryUnited States
CityDenver
Period10/12/1510/16/15

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Security by any other name: On the effectiveness of provider based email security'. Together they form a unique fingerprint.

Cite this