Dr Ralph Holz, lecturer in Networks and Security at the University of Sydney School of Information Technologies and co-appointed researcher at Data61 a premier innovation network, says experts have suspected weaknesses in email cryptographic setups and authentication for some time but there has been no hard evidence to support these suspicions.
The research team conducted active scans of the entire Internet, testing the setups of mail and chat servers before analysing the passive Internet traffic of more than 50,000 users in the United States in more than 16 million encrypted connections.
Results of their study revealing how emails can be poorly protected when in transit will be presented at the Internet Society’s Network and Distributed System Security Symposium in San Diego this week.
Dr Holz, a specialist in internet communication and co-appointed researcher at Data61, a premier innovation network, said “We investigated both the client-to-server interactions as well as server-to-server forwarding mechanisms. These can be configured in a number of ways, but these many combinations are leading to insecure deployments.
“We ran continuous scans of the Internet’s most important security protocols and applications to detect deployment patterns that open systems to attacks.
“While email between users of major providers such as Gmail or Hotmail is relatively secure, this is not true in more general cases and several serious weaknesses exist.
“One of the largest problems identified in the analysis is the lack of support for encryption—less than half of the mail servers supported even basic encrypted communication, and 17 percent used insecure cryptography.
“Only a third of mail servers can prove their identity securely; this means that a sending party often cannot determine whether an email is going to reach the right receiver or will be intercepted at some point,” the Sydney IT School lecturer said.
The researchers will offer several recommendations based on their analysis to help change the status quo, which include providing more measurements and urging software makers to use sane default configurations.
University of Sydney researchers worked with a group which included members from Data61 (Australia), ICSI (USA), and the Technical University of Munich (Germany).
University of Sydney School of Information TechnologyInformation technology professionals create and manage business applications, websites, systems and the IT environment for organizations. Drawing on both computer science and information systems, it involves the study of computers and the programs that run on them as well as the creation of computer systems that satisfy individual and organizational needs.
The University of Sydney School of Information Technologies offers a Master of Information Technology for professionals wanting to extend and update their knowledge of advanced computing subjects, as well as a Master of Information Technology Management, for technically skilled graduates seeking to move up the management ladder.