While Website owners may have noticed the need to get rid of old, buggy or weak crypto, those operating e-mail servers seem to be operating on autopilot.
Not in a good way, either: the world of e-mail is headed for “controlled flight into terrain” if sysadmins don't grab the controls and get to work, the researchers from Austria's SBA Research and the St Pölten University of Applied Sciences say.
“The recent increase in HTTPS certificate security (moving certificates from 1024 to 2048 bit) went totally unnoticed for all e-mail related ports, IPv4-wide”.
Still feeling relaxed? How about this: “millions of hosts are currently misconfigured to allow AUTH-PLAIN over unencrypted connections”.
Moreover, users can't easily check server certificates in e-mail, making it easy for an attacker to present a fake cert, and deprecated TLS versions 1.1 and 1.2 were accepted by 650,000 SMTP servers.
To compile the data, the SBA Research team conducted 10 billion TLS handshakes over three months, testing 20 million IP/port combinations covering the SMTP, POP3 and IMAP mail protocols.
The first step in solving this, the paper says, is for players like Google, Microsoft and Yahoo to push the deprecation of insecure e-mail mechanisms. This would force sysadmins to follow, since if you can't handshake with Gmail (for example), your users are bound to notice. ®