In the last few days, Google has said that it will soon start warning Gmail users of potential security risks when they receive an email from a non-encrypted connection. We agree that raising user awareness of the vulnerability of unencrypted email is a good thing. At Zix we typically encrypt over 1 million messages a day and all of them have our signature branding to better inform the recipient. However we are concerned that the conclusions of the paper, conducted by researchers at the University of Michigan, Google, and the University of Illinois at Urbana Champaign, have been widely misinterpreted by parts of the media. For example, there is one newspaper reporting on the “Alarming Rise in encrypted messaging” and warning that encryption is reaching epidemic proportions; while at the other end of the spectrum, we have a Tech Crunch article that is creating a false sense of security.
Why do we think it’s producing a false sense of security? The paper focuses on Transport Layer Security or TLS which is a very basic form of point to point email encryption. The media have interpreted a rise in TLS as ‘we’re almost there’ in terms of broad usage of email encryption. For example the previously mentioned article in Tech Crunch provides these statistics “Over the last few years (and especially after the Snowden leaks), Google and other email providers started to change this and today, 57 percent of messages that users on other email providers send to Gmail are encrypted (and 81 percent of outgoing messages from Gmail are, too). Gmail-to-Gmail traffic is always encrypted.”
The university paper includes security warnings, which make perfect sense. The paper focuses on opportunistic TLS and leads with the fact that Gmail, Yahoo and Outlook all proactively encrypt and authenticate emails. The study finds that of the “long tail” of over 700,000 SMTP servers only 35% successfully encrypt, and only a tiny 1.1% specify a DMARC authentication policy. This is the essence of where we are, and we should not accept the falsehood that poorly implemented point to point TLS has achieved mainstream usage.
Even in situations where TLS appears to be working correctly there can be fragility: the study reports that between October 8th and 17th of 2015, successful outbound STARTTLS dropped dramatically, corresponding with the public disclosure of the POODLE man-in-the-middle exploit. It appears that system administrators, while applying the patch against POODLE, accidently misconfigured mail servers thus disabling previously working implementations of STARTTLS. Another concern flagged by the study is that MX records (mail exchanger records) that record domain names and specify how email should be routed by SMTP are easily spoofed by hackers. That is, hackers can return the names of false servers that they themselves control. There is a protection against this named Domain Name System Security Extensions (DNSSEC); however the study states that less than 0.6% of domains have deployed DNSSEC.
Google’s study dramatically demonstrates the need for email encryption and shows conclusively that users who depend upon this free TLS technology are just as likely to be unprotected as protected. Most business domains are not properly configured for TLS. The TLS protection afforded is hit-and-miss, and so companies that require the guarantee of security cannot rely on this. It certainly does not meet the standards of regulatory bodies that require the protection of client information. Remember, in the opportunistic TLS environment described in the study, when STARTTLS does not work, the system fails open: that is, the email is sent in clear text. Even when it does work, authenticating the sender or sending domain is still not guaranteed.
Zix solutions however, let customers control the level of server authentication required for TLS connections. Likewise Zix lets its customers set the level of cypher that is used in encrypting emails, such as AES 256. Zix utilizes the Best Method of Delivery (BMOD) that ensures that email delivery is secure, while making the sender’s and the recipient’s user experience as easy as possible. BMOD can include the use of TLS, but only in situations where the recipient’s TLS implementation is known to be secure, both in its level of authentication and encryption ciphers used. Zix’s primary method of delivery, however, is transparently, within a community of trust, using S/MIME and utilizing public/private keys and certificates.
Zix secure email solutions can be found here.