Researchers uncover weaknesses in email security


By Dylan Bushell-Embling
Monday, 22 February, 2016


Researchers uncover weaknesses in email security

An international research team involving experts from the University of Sydney has provided the first evidence of the vulnerability of email as a communications mechanism.

The researchers conducted active scans of the entire internet focused on testing the security and integrity of mail and chat servers. The study also involved analysing the passive internet traffic of over 50,000 US users in more than 16 million encrypted connections.

Dr Ralph Holz, lecturer in networks and security at the University of Sydney’s School of Information Technologies and co-appointed researcher at Data61, said the research confirms suspected weaknesses in email cryptographic set-ups and authentication.

It shows that emails can be poorly protected while in transit. One of the main problems identified was a lack of support for encryption.

Less than half of the mail servers supported even basic encrypted communication, and 17% used insecure cryptography, Holz said. Only one in three mail servers can prove their identity securely.

“We investigated both the client-to-server interactions as well as server-to-server forwarding mechanisms. These can be configured in a number of ways, but these many combinations are leading to insecure deployments,” he said.

“We ran continuous scans of the internet’s most important security protocols and applications to detect deployment patterns that open systems to attacks. While email between users of major providers such as Gmail or Hotmail is relatively secure, this is not true in more general cases and several serious weaknesses exist.”

Holz and other University of Sydney researchers worked with a group including members from Data61, as well as the USA’s ICSI and Germany’s Technical University of Munich.

The researchers will present details of their research, including recommendations to help change the security status quo, at the Internet Society’s Network and Distributed System Security Symposium in San Diego next week.

Last month Electronic Frontiers Australia joined signatories in more than 35 countries in calling on world leaders to reject any law that would undermine strong encryption and by extension the integrity of the internet.

Image courtesy of Yuri Samoilov under CC

Related Articles

Strategies for navigating Java vulnerabilities

Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...

Not all cyber risk is created equal

The key to mitigating cyber exposure lies in preventing breaches before they happen.

How AI can help businesses manage their cyber risks

Artificial intelligence can be a powerful ally in the fight against cyberthreats.


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd