Dr Ralph Holz, lecturer in Networks and Security at the University of Sydney’s School of Information Technologies and co-appointed researcher at Data61 a premier innovation network, says experts have suspected weaknesses in email cryptographic setups and authentication for some time but there has been no hard evidence to support these suspicions.
While email between users of major providers such as Gmail or Hotmail is relatively secure, this is not true in more general cases and several serious weaknesses exist
The research team conducted active scans of the entire Internet, testing the setups of mail and chat servers before analysing the passive Internet traffic of more than 50,000 users in the United States in more than 16 million encrypted connections.
Results of their study revealing how emails can be poorly protected when in transit will be presented at the Internet Society's Network and Distributed System Security Symposium in San Diego next week.
Dr Holz, a specialist in internet communication and co-appointed researcher at Data61, a premier innovation network, said:
“We investigated both the client-to-server interactions as well as server-to-server forwarding mechanisms. These can be configured in a number of ways, but these many combinations are leading to insecure deployments.
“We ran continuous scans of the Internet’s most important security protocols and applications to detect deployment patterns that open systems to attacks.
“While email between users of major providers such as Gmail or Hotmail is relatively secure, this is not true in more general cases and several serious weaknesses exist.
“One of the largest problems identified in the analysis is the lack of support for encryption - less than half of the mail servers supported even basic encrypted communication, and 17 percent used insecure cryptography.
“Only a third of mail servers can prove their identity securely; this means that a sending party often cannot determine whether an email is going to reach the right receiver or will be intercepted at some point,” Dr Holz says.
The researchers will offer several recommendations based on their analysis to help change the status quo, which include providing more measurements and urging software makers to use sane default configurations.
University of Sydney researchers worked with a group which included members from Data61 (Australia), ICSI (USA), and the Technical University of Munich (Germany).
Dr Suranga Seneviratne from the Faculty of Engineering and Professor Carol Hsu from the Business School analyse how the proposed registry will help prevent these scams.