A team of researchers, including CSL and ECE Associate Professor Michael Bailey, has received The Applied Networking Research Prize (ANRP) for their paper, "Neither Snow Nor Rain Nor MITM... An Empirical Analysis of Email Delivery Security."
Written by August Schiess, CSL
A team of researchers, including CSL and ECE Associate Professor michael Bailey, has received The Applied Networking Research Prize (ANRP) for their paper, "Neither Snow Nor Rain Nor MITM... An Empirical Analysis of Email Delivery Security.”
The ANRP, presented at the 2016 Internet Engineering Task Force (IETF) meeting, recognizes recent results in applied networking research that are relevant for transitioning into shipping Internet products and related standardization efforts.
Email security helps protect some of our most sensitive data: password recovery confirmations, financial data, confidential correspondences, and more. According to the report, Bailey, in collaboration with colleagues at the University of Michigan and Google, found that email security is significantly better than it was two years ago, but still has widespread issues.
The networking protocols that underlie today’s Internet were not originally built to be secure—it was only years later that security protocols were “bolted on” to the existing systems. However, despite there being measures in place to solve these security issues, each individual email server has the choice whether to adopt these protocols, and many servers have not.
In the paper, Bailey and his team highlighted some of the implications of “bolted on security” in today’s email ecosystem. For example, because the protocols that govern email-server-to-email-server communication were originally not designed to support encryption, a command called STARTTLS was later added that allowed two email servers to negotiate a secure connection. However, because this command is issued prior to setting up a secure connection, an attacker can corrupt the STARTTLS negotiation, forcing the email exchange to continue without encryption. The report highlights, for example, seven countries where more than 20 percent of incoming emails were intentionally downgraded by STARTTLS modification.