gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
76774 Posts in 13500 Topics by 1651 Members - Latest Member: insider4ever March 28, 2024, 04:49:29 pm
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  US ISP Companies Undermining Email Encryption
gfx
gfxgfx
 

Author Topic: US ISP Companies Undermining Email Encryption  (Read 871 times)

0 Members and 1 Guest are viewing this topic.

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
US ISP Companies Undermining Email Encryption
« on: November 16, 2014, 01:14:56 pm »


More dirty work  :x

https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

Quote
Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag—called STARTTLS—from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1

By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.

This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email server.

I would suggest these companies have been ordered to do this simply to read the "To" and "cc" fields of these emails, unfortunately in this case this attack leaves the whole of the email unencrypted, the NSA is pretty much desperate to read anything sent across the US and will use any trick to facilitate this activity. 

What types of email encryption similar to this are about for folks to use while this particular vector is insecure ?

I notice that the EFF has a helpful page regarding the security of many messaging systems.

https://www.eff.org/secure-messaging-scorecard

Pidgen with OTR is what I myself use instead of email and according to the EFF list thats a wise decision  :-D

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  US ISP Companies Undermining Email Encryption
 

gfxgfx
gfx
©2005-2024 WinMXWorld.com. All Rights Reserved.
SMF 2.0.19 | SMF © 2021, Simple Machines | Terms and Policies
Page created in 0.018 seconds with 21 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!