Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Pentagon Says It Will Start Encrypting Soldiers' Emails Next Year (vice.com)

Posted by msmash on from the about-time dept.

An anonymous reader shares a Motherboard report: Basic decade-old encryption technology is finally coming to Pentagon email servers next year. For years, major online email providers such as Google and Microsoft have used encryption to protect your emails as they travel across the internet. That technology, technically known as STARTTLS, isn't a cutting edge development -- it's been around since 2002. But since that time the Pentagon never implemented it. As a Motherboard investigation revealed in 2015, the lack of encryption potentially left some soldiers' emails open to being intercepted by enemies as they travel across the internet. The US military uses its own internal service, mail.mil, which is hosted on the cloud for 4.5 million users. But now the Defense Information Systems Agency or DISA, the Pentagon's branch that oversees email, says it will finally start using STARTTLS within the year, according to a letter from DISA. DISA's promise comes months after Senator Ron Wyden (D-Oregon) said he was concerned that the agency wasn't taking advantage of "a basic, widely used, easily-enabled cybersecurity technology."

6 of 63 comments (clear)

  1. Available Encryption by Frosty+Piss · · Score: 4, Informative

    None of this, of course, is to say that encryption of email itself has been un available. Indeed I use the credentials on my CAC (Common Access Card) to encrypt most if not all of my email before sending it.

    --
    If you want news from today, you have to come back tomorrow.
  2. How email works.... by Anonymous Coward · · Score: 2, Informative

    ...I think people have misconceptions about how exactly emails works. It's not bounced around from server to server until it gets to it's destination.

    It's delivered directly to whichever server(s) your specified in your domain's mx record. So emails cannot simply be intercepted by whomever just like that.

    However by default it is sent as clear text, which means in theory your Tier 3 (your ISP), tier 2 and tier 1 providers could intercept those emails since the packets have to pass through their networking equipment to get to their destination. But if most confidential emails are internal, then you could setup VPN tunnels between servers and that solves that problem.If you are sharing top secret or confidential military info , you should be encrypting every email you send via your email client, regardless if the servers transmit it in clear text or not.

    1. Re:How email works.... by Anonymous Coward · · Score: 2, Informative

      > So emails cannot simply be intercepted by whomever just like that.

      It absolutely can be intercepted by whomever just like that. Just because email doesn't bounce around at the application level doesn't mean packets don't bounce around at the transport level. Do a traceroute between mail servers. Any one of those routers (and any devices in between them that silently pass packets) can be compromised. Any link in between them can be compromised. Don't say it can't happen. The government at least already has their ear in many high tiers, so at least they can listen, if not more large companies. Also, go to a coffee shop and your credentials will be blasted all over the place if you're not careful.

  3. MITM by DrYak · · Score: 4, Informative

    StartTLS is no panacea, an active MITM peer can simply strip the request.

    Actually, no.
    - if you set to StartTLS to "required" (or if you use IMAPS), your client will only go further if a successful SSL/TLS encrypted link is established with the server.
    The MITM can't just strip the request, the client will refuse to connect.
    - SSL/TLS links will fail if they are not signed by a recognized authority.
    The attacker needs to have a key that is signed by a trusted authority (and thus either needs to have a certificate issuer in cahoots - has actually hapenned with some cert authorities in the past - or needs to manage to get control of the e-mail server (thus can actually access without MITM. OR can steel the original private key and freely MITM. OR can generate a new key and have it at least non-EV signed and use this new key for MITM)

    MITM is the main class of problems that SSL/TLS can succesfully fight (when done right).
    (As opposed to "privacy" class of problems, which are better handled with end-to-end encryption, like PGP / GPG (web of trust) or S/MIME (public key /certificates) )

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re: MITM by RLaager · · Score: 3, Informative

      There actually is a way to tell the other side you want TLS. It's called DANE (RFC 7672). It's new and not widely used yet.

      Here's a presentation on the topic:
      https://www.ietf.org/proceedin...

  4. Re:Um... by jeff4747 · · Score: 3, Informative

    DoD networking isn't quite the same as what's available to the rest of us.

    "Normal" stuff goes over something called NIPRNet. It uses Internet protocols and is connected to the Internet via a few gateways, but if you are emailing from .mil to .mil, it stays on NIPRNet. So it's a bit like emailing another employee at work - The message stays within your employer's network so it's hard(er) to MITM.

    Important things go over SIPRNet, JWICS or another more secure network. Encryption in-transit over those networks has been standard since those networks were built, and is done via hardware devices.