Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISPs Removing Their Customers' Email Encryption

Posted by Soulskill on from the aggressively-anticonsumer dept.

Presto Vivace points out this troubling new report from the Electronic Frontier Foundation: Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the U.S. and Thailand intercepting their customers' data to strip a security flag — called STARTTLS — from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.

By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.

6 of 245 comments (clear)

  1. Meh by bragr · · Score: 5, Insightful

    I assume my email transits the internet in the clear regardless how I send it so I am having a hard time getting angry about this.

  2. Requiring encryption server-side by Todd+Knarr · · Score: 4, Insightful

    I dealt with this by setting my mail server up so that an authenticated connection's required for outgoing user e-mail through it, and encryption's required before the client can authenticate. The IMAP server also requires encryption and won't accept unencrypted connections. If my ISP starts pulling anything that disables encryption, my e-mail will start failing with errors. I'd recommend all mail servers be configured this way.

    It's disappointing that we're increasingly having to treat our ISPs as obstructions to be worked around or opponents that need to be defeated for things to work right. We're paying them that monthly subscription to carry our traffic, we oughtn't have to jump through hoops to get our traffic carried without interference.

  3. Re:Always RTFA by MightyMartian · · Score: 5, Insightful

    If you're relying on the MTA to keep your email communications secure, you're doing it wrong. If data is important enough to encrypt, encrypt it at the sender side first.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  4. Re:DMCA by CreatureComfort · · Score: 4, Insightful

    Quick test:

    1. Does it violate user expectations and privileges? Not a DMCA violation.
    2. Does it expand provider powers or control? Not a DMCA violation.
    3. Does it interfere with provider profits or government investigations? DMCA violation!!! Kill it!! Kill IT immediately!!!!!

    --
    "Unheard of means only it's undreamed of yet,
    Impossible means not yet done." ~~ Julia Ecklar
  5. Re: DMCA (Defamation) by GigaplexNZ · · Score: 5, Insightful

    Worst case they aren't decrypting it, they are just causing the option to encrypt not to be presented.

    That's still circumvention in my books. http://www.law.cornell.edu/uscode/text/17/1201

    to “circumvent a technological measure” means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner;

  6. YANAL by lucm · · Score: 4, Insightful

    This is one of the most irritating thing in IT. People think they can figure out law, accounting, fiscality, politics, marketing or diplomacy by using what they perceive as "common sense".

    Here is the thing. All those disciplines are a gray area by nature, and the right answer is largely a matter of professional interpretation. Can you put that number in that column? Can you consider that such or such situation has caused actual damage to someone? There's no compiler to tell you if this is right or not, there's just people navigating a fuzzy field armed with their experience and knowledge. They live in a world where two people can have opposite opinions and be both right at the same time.

    Anyone with a background in applied disciplines like IT or engineering is trained to look at things with a problem-solving angle. That's a great attitude, but unfortunately it sometimes make people overestimate their grasp of concepts that are outside of their area of expertise. It's a lot like those artists who have it all figured out (war, terrorism, pollution, crime, poverty). Case in point: this "enlightened" feedback from Ben Affleck during Bill Maher show: http://www.youtube.com/watch?v...

    Don't be that guy.

    --
    lucm, indeed.