A Multifaceted Study on the Use of TLS and Auto-detect in Email Ecosystems
Ka Fun Tang
Network and Distributed System Security (NDSS) Symposium 2025 · Day 2 · Email Security
This talk, presented by Ka Fun Tang, delves into critical security vulnerabilities within the modern email ecosystem, specifically focusing on the client-to-server connections governed by IMAP and POP3 protocols. The research uncovers significant flaws in how email clients handle Transport Layer Security (TLS) and certificate validation, as well as the detrimental impact of poorly designed "auto-detect" mechanisms and ambiguous IT administration setup guides. The study highlights how these weaknesses can be exploited by a **man-in-the-middle (MITM)** adversary to downgrade secure connections to plaintext, thereby compromising user credentials and other sensitive information.
AI review
Solid academic security research with real findings: a novel TLS stripping variant that bypasses user prompts, systematic hostname validation failures across 19 clients, and a data-driven teardown of 810 university setup guides. This is the kind of quiet, methodical work that doesn't get headlines but actually moves the needle on widely deployed infrastructure.