Latest Front Page News

ISPs Removing Their Customers' Email Encryption

Submitted by: Hologram @ 11:55 PM | Tuesday, November 11, 2014 | (url: https://www.eff.o...)

Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flagcalled STARTTLSfrom email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1

By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.

This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email server2. STARTTLS was also relatively uncommon until late 2013, when EFF started rating companies on whether they used it. Since then, many of the biggest email providers implemented STARTTLS to protect their customers. We continue to strongly encourage all providers to implement STARTTLS for both outbound and inbound email. Google's Safer email transparency report and are good resources for checking whether a particular provider does.

New IM Client, Invites included

Submitted by: Gumz @ 06:53 PM | Wednesday, February 27, 2008 | (url: http://www.tribal...)

A New Instant Messaging Client aimed to target all of your communicational needs is here. Read the story for instructions on getting an invite code.

FBI Gained Unauthorized Access to Email

Submitted by: Zengei @ 09:57 AM | Monday, February 18, 2008 | (url: http://www.nytime...)

"A technical glitch gave the F.B.I. access to the e-mail messages from an entire computer network perhaps hundreds of accounts or more instead of simply the lone e-mail address that was approved by a secret intelligence court as part of a national security investigation, according to an internal report of the 2006 episode.

F.B.I. officials blamed an apparent miscommunication with the unnamed Internet provider, which mistakenly turned over all the e-mail from a small e-mail domain for which it served as host. The records were ultimately destroyed, officials said."