No Need for Black Chambers: Testing TLS in the E-mail Ecosystem at Large

TL;DR

This study presents a scalable method to evaluate TLS security in the e-mail ecosystem, revealing current vulnerabilities and the complexity of securing server-to-server communication across the entire IPv4 range.

Contribution

It introduces a novel, scalable methodology using commodity hardware and open-source tools to assess TLS configurations in the e-mail ecosystem at large scale.

Findings

TLS security in e-mail protocols is inconsistent and often insecure.

Securing server-to-server email communication is more challenging than client-to-server.

TLS certificate trust anchors in e-mail show volatility but overall improving trend.

Abstract

TLS is the most widely used cryptographic protocol on the Internet. While many recent studies focused on its use in HTTPS, none so far analyzed TLS usage in e-mail related protocols, which often carry highly sensitive information. Since end-to-end encryption mechanisms like PGP are seldomly used, today confidentiality in the e-mail ecosystem is mainly based on the encryption of the transport layer. A well-positioned attacker may be able to intercept plaintext passively and at global scale. In this paper we are the first to present a scalable methodology to assess the state of security mechanisms in the e-mail ecosystem using commodity hardware and open-source software. We draw a comprehensive picture of the current state of every e-mail related TLS configuration for the entire IPv4 range. We collected and scanned a massive data-set of 20 million IP/port combinations of all related protocols (SMTP, POP3, IMAP) and legacy ports. Over a time span of approx. three months we conducted more than 10 billion TLS handshakes. Additionally, we show that securing server-to-server communication using e.g. SMTP is inherently more difficult than securing client-to-server communication. Lastly, we analyze the volatility of TLS certificates and trust anchors in the e-mail ecosystem and argue that while the overall trend points in the right direction, there are still many steps needed towards secure e-mail.