NDSS 2025 – A Multifaceted Study On The Use of TLS And Auto-detect In Email Ecosystems
None
<p>Session 8A: Email Security </p><p></p><center data-preserve-html-node="true"><iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen="" src="https://www.youtube-nocookie.com/embed/Nu7-AmgqfMM?si=jO2iA-G-XIDFcFWc" width="560" frameborder="0" data-preserve-html-node="true" title="YouTube video player" height="315"></iframe> <p></p><center data-preserve-html-node="true">Authors, Creators & Presenters: Ka Fun Tang (The Chinese University of Hong Kong), Che Wei Tu (The Chinese University of Hong Kong), Sui Ling Angela Mak (The Chinese University of Hong Kong), Sze Yiu Chau (The Chinese University of Hong Kong) <p></p><center data-preserve-html-node="true">PAPER<br> <center data-preserve-html-node="true">A Multifaceted Study on the Use of TLS and Auto-detect in Email Ecosystems <p></p><center data-preserve-html-node="true">Various email protocols, including IMAP, POP3, and SMTP, were originally designed as “plaintext” protocols without inbuilt confidentiality and integrity guarantees. To protect the communication traffic, TLS can either be used implicitly before the start of those email protocols, or introduced as an opportunistic upgrade in a post-hoc fashion. In order to improve user experience, many email clients nowadays provide a so-called “auto-detect” feature to automatically determine a functional set of configuration parameters for the users. In this paper, we present a multifaceted study on the security of the use of TLS and auto-detect in email clients. First, to evaluate the design and implementation of client-side TLS and auto-detect, we tested 49 email clients and uncovered various flaws that can lead to covert security downgrade and exposure of user credentials to attackers. Second, to understand whether current deployment practices adequately avoid the security traps introduced by opportunistic TLS and auto-detect, we collected and analyzed 1102 email setup guides from academic institutes across the world, and observed problems that can drive users to adopt insecure email settings. Finally, with the server addresses obtained from the setup guides, we evaluate the sever-side support for implicit and opportunistic TLS, as well as the characteristics of their certificates. Our results suggest that many users suffer from an inadvertent loss of security due to careless handling of TLS and auto-detect, and organizations in general are better off prescribing concrete and detailed manual configuration to their users. <hr> <p></p><center data-preserve-html-node="true">ABOUT NDSS<br> <center data-preserve-html-node="true">The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies. <hr> <p>Our thanks to the <a href="https://www.ndss-symposium.org/">Network and Distributed System Security (NDSS) Symposium</a> for publishing their Creators, Authors and Presenter’s superb <a href="https://www.youtube.com/@NDSSSymposium">NDSS Symposium 2025 Conference</a> content on the <a href="https://www.ndss-symposium.org/">Organizations’</a> <a href="https://youtube.com/@ndsssymposium?si=lLtn9sVVEwmZ8J9h3">YouTube Channel</a>. </p> <p></p></center></center></center></center></center></center></center><p><a href="https://www.infosecurity.us/blog/2026/1/1/ndss-2025-a-multifaceted-study-on-the-use-of-tls-and-auto-detect-in-email-ecosystems">Permalink</a></p><p> </p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/01/ndss-2025-a-multifaceted-study-on-the-use-of-tls-and-auto-detect-in-email-ecosystems/" data-a2a-title="NDSS 2025 – A Multifaceted Study On The Use of TLS And Auto-detect In Email Ecosystems"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fndss-2025-a-multifaceted-study-on-the-use-of-tls-and-auto-detect-in-email-ecosystems%2F&linkname=NDSS%202025%20%E2%80%93%20A%20Multifaceted%20Study%20On%20The%20Use%20of%20TLS%20And%20Auto-detect%20In%20Email%20Ecosystems" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fndss-2025-a-multifaceted-study-on-the-use-of-tls-and-auto-detect-in-email-ecosystems%2F&linkname=NDSS%202025%20%E2%80%93%20A%20Multifaceted%20Study%20On%20The%20Use%20of%20TLS%20And%20Auto-detect%20In%20Email%20Ecosystems" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fndss-2025-a-multifaceted-study-on-the-use-of-tls-and-auto-detect-in-email-ecosystems%2F&linkname=NDSS%202025%20%E2%80%93%20A%20Multifaceted%20Study%20On%20The%20Use%20of%20TLS%20And%20Auto-detect%20In%20Email%20Ecosystems" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fndss-2025-a-multifaceted-study-on-the-use-of-tls-and-auto-detect-in-email-ecosystems%2F&linkname=NDSS%202025%20%E2%80%93%20A%20Multifaceted%20Study%20On%20The%20Use%20of%20TLS%20And%20Auto-detect%20In%20Email%20Ecosystems" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fndss-2025-a-multifaceted-study-on-the-use-of-tls-and-auto-detect-in-email-ecosystems%2F&linkname=NDSS%202025%20%E2%80%93%20A%20Multifaceted%20Study%20On%20The%20Use%20of%20TLS%20And%20Auto-detect%20In%20Email%20Ecosystems" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.infosecurity.us/">Infosecurity.US</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Marc Handelman">Marc Handelman</a>. Read the original post at: <a href="https://www.youtube-nocookie.com/embed/Nu7-AmgqfMM?si=jO2iA-G-XIDFcFWc">https://www.youtube-nocookie.com/embed/Nu7-AmgqfMM?si=jO2iA-G-XIDFcFWc</a> </p>