SoK: Securing Email: A Stakeholder-Based Analysis
J Clark, PC van Oorschot, S Ruoti, K Seamons, D Zappala
Email is probably the most valuable service on the Internet, but there are challenges in building a secure email system that is suitable for all users. Efforts to provide security for email have been ongoing for decades. PGP has usability and trust model mismatch issues,The PGP web of trust was designed to model social interaction, rather than decision-making processes in governments and large enterprises. It is not a one-size-fits-all trust model.
Furthermore, the scheme is still vulnerable suchas through stripping attacks. These attacks involve a man-in-the-middle attacker removing the "STARTTLS" (use encryption) request by a client computer while preparing to send the email. This causes the client to continue communicating with the server over an unencrypted channel, even if the client intended to use encryption.
There are interoperability challenges in building a secure email system. Conflicting interests among stakeholders explain the lack of widespread adoption of secure email solutions. A one-size-fits-all solution is unlikely, and multiple solutions can co-exist.hese systems can be evaluated in terms of:
Security properties: These properties include confidentiality, integrity, and availability. Confidentiality refers to the protection of email content from unauthorized access, while integrity refers to the protection of email content from unauthorized modification. Availability refers to the ability of email systems to provide reliable and timely access to email content.
2. Utility properties: These properties include functionality, performance, and scalability. Functionality refers to the features and capabilities of email systems, while performance refers to the speed and responsiveness of email systems. Scalability refers to the ability of email systems to handle large volumes of email traffic.
3. Deployability properties: These properties include compatibility, configurability, and maintainability. Compatibility refers to the ability of email systems to work with existing email clients and infrastructure. Configurability refers to the ease with which email systems can be configured and customized. Maintainability refers to the ease with which email systems can be updated and maintained over time. 4. Usability properties: These properties include learnability, efficiency, and satisfaction. Learnability refers to the ease with which users can learn to use email systems. Efficiency refers to the speed and ease with which users can perform common tasks using email systems. Satisfaction refers to the overall user experience of using email systems.
Email lacks strong security guarantees and current security enhancements are not widely used or compatible, leading to fragmented solutions. PGP arguably has failed and there is still a need for secure messaging.
Clark, J., van Oorschot, P. C., Ruoti, S., Seamons, K., & Zappala, D. (2021). SoK: Securing email—a stakeholder-based analysis. In Financial Cryptography and Data Security: 25th International Conference, FC 2021, Virtual Event, March 1–5, 2021, Revised Selected Papers, Part I 25 (pp. 360-390). Springer Berlin Heidelberg.