NDSS 2025 – A Multifaceted Study On The Use of TLS And Auto-detect In Email Ecosystems
研究分析了TLS和自动检测功能在电子邮件系统中的安全性问题。通过对49个邮件客户端的测试及1102份邮件设置指南的分析,发现多种安全漏洞和配置问题可能导致用户数据泄露或通信被降级。结果显示许多用户因配置不当而无意中降低安全性。
2026-1-7 20:0:0
Author: securityboulevard.com(查看原文)
阅读量:3
收藏
Session 8A: Email Security
Authors, Creators & Presenters: Ka Fun Tang (The Chinese University of Hong Kong), Che Wei Tu (The Chinese University of Hong Kong), Sui Ling Angela Mak (The Chinese University of Hong Kong), Sze Yiu Chau (The Chinese University of Hong Kong)
PAPER
A Multifaceted Study on the Use of TLS and Auto-detect in Email Ecosystems
Various email protocols, including IMAP, POP3, and SMTP, were originally designed as “plaintext” protocols without inbuilt confidentiality and integrity guarantees. To protect the communication traffic, TLS can either be used implicitly before the start of those email protocols, or introduced as an opportunistic upgrade in a post-hoc fashion. In order to improve user experience, many email clients nowadays provide a so-called “auto-detect” feature to automatically determine a functional set of configuration parameters for the users. In this paper, we present a multifaceted study on the security of the use of TLS and auto-detect in email clients. First, to evaluate the design and implementation of client-side TLS and auto-detect, we tested 49 email clients and uncovered various flaws that can lead to covert security downgrade and exposure of user credentials to attackers. Second, to understand whether current deployment practices adequately avoid the security traps introduced by opportunistic TLS and auto-detect, we collected and analyzed 1102 email setup guides from academic institutes across the world, and observed problems that can drive users to adopt insecure email settings. Finally, with the server addresses obtained from the setup guides, we evaluate the sever-side support for implicit and opportunistic TLS, as well as the characteristics of their certificates. Our results suggest that many users suffer from an inadvertent loss of security due to careless handling of TLS and auto-detect, and organizations in general are better off prescribing concrete and detailed manual configuration to their users.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
