Slashdot Mirror
ISPs Removing Their Customers' Email Encryption
Presto Vivace points out this troubling new report from the Electronic Frontier Foundation:
Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the U.S. and Thailand intercepting their customers' data to strip a security flag — called STARTTLS — from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.
By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
I like your point, but seriously... "copyright", "copyrited", AND "copywrite" all in one post?
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
I assume my email transits the internet in the clear regardless how I send it so I am having a hard time getting angry about this.
For a previous job I was working onsite in a different country to my home office. For what ever reason my boss had pissed me off, so when he said he was going to email details of a salary increase I decided to yank his chain and played the "email isn't secret, and anyone could intercept it" card just to see what hoops he would jump through in order to "securely" send me this "sensitive" data.
His solution was to send me two emails. The first email had a password protected zip file that mentioned that the salary details were inside. The second email stated that the password for the zip file was "the company name backwards". Both emails of course being sent from the company domain. Given how brain-dead his solution was I concluded that I had got my monies worth from that stunt.
I am Slashdot. Are you Slashdot as well?