ISPs Removing Their Customers' Email Encryption
Submitted by: Hologram @ 11:55 PM | Tuesday, November 11, 2014 | (url: https://www.eff.o...)
Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flagcalled STARTTLSfrom email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1
By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email server2. STARTTLS was also relatively uncommon until late 2013, when EFF started rating companies on whether they used it. Since then, many of the biggest email providers implemented STARTTLS to protect their customers. We continue to strongly encourage all providers to implement STARTTLS for both outbound and inbound email. Google's Safer email transparency report and starttls.info are good resources for checking whether a particular provider does.
Category: Technology | 42 Comments
Tags: email encryption isp privacy surveillance
- Comments (42)
the government can't bug your house and tap your communications without a warrant.
Good thing Republicans are protecting us from Net Neutrality so shit like this doesn't happen.
You realize that the government getting involved in internet regulation is the exact opposite of net neutrality, right? Just like the USA PATRIOT act, and the Affordable Care Act, the names of such legislation are paradoxical to their content.
Good thing Republicans are protecting us from Net Neutrality so shit like this doesn't happen.
:lol:
we need the best protection that comcast ceo campaign adviser can give us.
You realize that the government getting involved in internet regulation is the exact opposite of net neutrality, right? Just like the USA PATRIOT act, and the Affordable Care Act, the names of such legislation are paradoxical to their content.
of course he doesn't realize that
You realize that the government getting involved in internet regulation is the exact opposite of net neutrality, right?Who else can tell ISPs not to throttle traffic on a site-by-site basis?
the custumers paying for their service. that is who
this is like saying who will tell car companies not to make cars that can only go 5mph?
that's how piss poor of an argument this is.
Verizon Kills $2 Fee After Consumer Outrage
The company made the decision in response to customer feedback about the plan, which was designed to improve the efficiency of those transactions. The company continues to encourage customers to take advantage of the numerous simple and convenient payment methods it provides.
“At Verizon, we take great care to listen to our customers. Based on their input, we believe the best path forward is to encourage customers to take advantage of the best and most efficient options, eliminating the need to institute the fee at this time,” said Dan Mead, president and chief executive officer of Verizon Wireless.
:lol:
holy fuk...waaaa? they backed down after customer outraged and the ability to switch service providers??
but i thought only government could fix things like this?
the costumers paying for their service. that is who
what about those working outside of the clothing industry?
Who else can tell ISPs not to throttle traffic on a site-by-site basis?
Customers can, by taking their business elsewhere or complaining en mass to the ISP. Bitching about things in the comments section on reddit is different than directing the comments where they can make the most impact.
not that government isn't more dick deep in bed with fukin monopolies
but that would mess everything up. monopolies would have to compete and government would have a harder time tracking/controlling everything we do or say.
neither of those outcomes is acceptable for them. that type of capitalism would be anarchy. it would lead to a market of choices for consumers to pick from and total chay-os for those that wish to control it.
Except that in the US you cant really take your business elsewhere.This.
Even when there are choices in a marketplace, what options do customers have when every ISP decides to do it? Every ISP I know of has discontinued newsgroup service, forcing their users to pay a third party provider. We don't have that option if every ISP decides to start throttling competitor's traffic to protect their own business offerings or extort fees from content providers.