{"id":185456,"date":"2014-11-12T21:54:00","date_gmt":"2014-11-13T02:54:00","guid":{"rendered":"https:\/\/www.panix.com\/~msaroff\/40years\/2014\/11\/12\/well-this-is-just-ducky\/"},"modified":"2014-11-12T21:54:00","modified_gmt":"2014-11-13T02:54:00","slug":"well-this-is-just-ducky","status":"publish","type":"post","link":"https:\/\/www.panix.com\/~msaroff\/40years\/2014\/11\/12\/well-this-is-just-ducky\/","title":{"rendered":"Well, This is Just Ducky"},"content":{"rendered":"<div>It appears that some ISPs are <a href=\"https:\/\/www.eff.org\/deeplinks\/2014\/11\/starttls-downgrade-attacks\">stripping the encryption out of their user&#8217;s email<\/a>, even when connecting to outside servers:<\/div>\n<blockquote><p><span style=\"color: blue;\">Recently, Verizon was caught <a href=\"https:\/\/www.eff.org\/deeplinks\/2014\/11\/verizon-x-uidh\">tampering with its customer&#8217;s web requests<\/a> to inject a <a href=\"http:\/\/www.marketplace.org\/topics\/business\/verizon-att-and-new-supercookies\">tracking super-cookie<\/a>. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported <a href=\"http:\/\/www.goldenfrog.com\/blog\/fcc-must-prevent-isps-blocking-encryption\">ISPs in the US<\/a> and <a href=\"http:\/\/www.telecomasia.net\/content\/google-yahoo-smtp-email-severs-hit-thailand\">Thailand<\/a> intercepting their customers&#8217; data to strip a security flag\u2014called STARTTLS\u2014from email traffic. The <a href=\"https:\/\/www.eff.org\/deeplinks\/2014\/06\/new-gmail-data-shows-rise-backbone-email-encryption\">STARTTLS flag<\/a> is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.<a href=\"https:\/\/www.eff.org\/deeplinks\/2014\/11\/starttls-downgrade-attacks#footnote1_rshkhpy\">1<\/a> <\/p>\n<p>By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, <a href=\"https:\/\/stomp.colorado.edu\/blog\/blog\/2012\/12\/31\/on-smtp-starttls-and-the-cisco-asa\/\">including Cisco&#8217;s PIX\/ASA firewall<\/a> do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception. <\/p>\n<p>This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email server<a href=\"https:\/\/www.eff.org\/deeplinks\/2014\/11\/starttls-downgrade-attacks#footnote2_6bk9gm9\">2<\/a>. STARTTLS was also relatively uncommon <a href=\"https:\/\/www.eff.org\/deeplinks\/2014\/06\/new-gmail-data-shows-rise-backbone-email-encryption\">until late 2013<\/a>, when EFF started <a href=\"https:\/\/www.eff.org\/deeplinks\/2013\/11\/encrypt-web-report-whos-doing-what\">rating companies on whether they used it<\/a>. Since then, many of the <a href=\"https:\/\/www.google.com\/transparencyreport\/saferemail\/\">biggest<\/a> <a href=\"https:\/\/www.facebook.com\/notes\/protect-the-graph\/massive-growth-in-smtp-starttls-deployment\/1491049534468526\">email<\/a> <a href=\"https:\/\/www.eff.org\/deeplinks\/2014\/04\/yahoo-protects-users-lots-more-encryption\">providers<\/a> <a href=\"https:\/\/blog.twitter.com\/2014\/greater-privacy-for-your-twitter-emails-with-tls\">implemented<\/a> STARTTLS to protect their customers. We continue to strongly encourage all providers to implement STARTTLS for both outbound and inbound email. Google&#8217;s <a href=\"https:\/\/www.google.com\/transparencyreport\/saferemail\/\">Safer email transparency report<\/a> and <a href=\"https:\/\/starttls.info\/\">starttls.info<\/a> are good resources for checking whether a particular provider does.<\/span><\/p><\/blockquote>\n<p>STARTTLS is not a particularly strong, but it does filter out metadata like addresses and subjects.<\/p>\n<p>What was (when discovered, the ISP in question, AIO Wireless, stopped doing this) is all about is an attempt to resell user data, or serve ads to the users.<\/p>\n<p>As the <a href=\"http:\/\/www.goldenfrog.com\/blog\/fcc-must-prevent-isps-blocking-encryption\">good folks at Golden Frog observe<\/a>:<\/p>\n<blockquote><p><span style=\"color: blue;\">Neither the old or the new proposed Internet rules being debated by the FCC would stop wireless providers from blocking encryption technologies. That is very frustrating and one of the key points in our FCC filing. The FCC is a government organization and tasked with protecting national security when it comes to electronic communications. They are part of the same government that surveils its citizens. It\u2019s not unreasonable to think they are getting pressure to curtail encryption.<\/span><br \/><span style=\"color: blue;\"><br \/><\/span> <span style=\"color: blue;\">Furthermore, ISPs have incentive to block privacy technologies like VPNs. They want to profit as much as possible from the way you use the Internet. Privacy services that are independent of their offerings don\u2019t allow them to do that. If they aren\u2019t selling the service to you, they aren\u2019t making money and that frustrates them. However, when they are blocking privacy services, they are dangerously putting businesses\u2019 confidential communications and individual customers\u2019 privacy at risk.<\/span><br \/><span style=\"color: blue;\"><br \/><\/span> <span style=\"color: blue;\">We strongly believe that the same Open Access rules that should apply to wired Internet providers should also apply to mobile Internet providers, especially considering this specific encryption-related incident that affects online privacy.<\/span><\/p><\/blockquote>\n<p>Unfettered free market capitalism \u2026\u2026\u2026 Gotta love it.<\/p>\n<p>H\/T <a href=\"http:\/\/www.nakedcapitalism.com\/2014\/11\/isps-removing-customers-e-mail-encryption.html\">naked capitalism<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It appears that some ISPs are stripping the encryption out of their user&#8217;s email, even when connecting to outside servers: Recently, Verizon was caught tampering with its customer&#8217;s web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1005,1067,970,1066,1025],"tags":[],"class_list":["post-185456","post","type-post","status-publish","format-standard","hentry","category-business","category-communications","category-corruption","category-privacy","category-technology"],"_links":{"self":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/185456"}],"collection":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/comments?post=185456"}],"version-history":[{"count":0,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/185456\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/media?parent=185456"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/categories?post=185456"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/tags?post=185456"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}