Discussion in 'privacy problems' started by MrBrian, Nov 11, 2014.
That is truly evil
Condemnation mounts against ISP that sabotaged users’ e-mail encryption
The ISPs removing their customers encryption is sort of similar to what the FCC is saying about what Obama wants for the law on Net Neutrality. Basically the FCC is saying they don't have to lesson to Obama and say it is up to the ISPs and it is up to the Senate to write the laws and the Senate seems to be backing what the ISPs Want. The removing of the ISPs customers encryption is part of the ISPs overall anti-comsumer/privacy stance
I know that for the masses the hope for is an easy "hand held" encryption scheme where the user does nothing additional. In order for that to ever exist the control of how it happens is left to the "cloud/provider gods". Unfortunately I don't believe the folks in mass will ever assume control for themselves and encrypt at the machine level (e.g. PGP). If they would handle it locally, then the transmissions couldn't be "tampered with" while in route.
In fact I would say that "those" folks will never read this thread either. Know what I mean?
This throws a Spanner into Google's plans to write a encryption extension
Why aren’t more news organizations protecting their e-mail with STARTTLS encryption?
One of the reasons I don't use starttls ever when contacting my mail server and sending mail.
Just direct enforced encryption with deprecated port 465 when sending (don't care what IANA says, I still use it).
And for reading my mail IMAPS (port 993)
That should (in theory) prevent my ISP from stealing my login credentials.
So there has already been unofficial, mandatory client-to-server encryption for ages.
What is needed is also enforced server-to-server encryption, where encryption handshake is started immediately, without any "may I pretty, please?" upgrading from plaintext to encrypted.
Gmail uses Port 993/465 doesn't seem to stop this one spammer who sends his spam from a ISP address, address might be spoofed since he changes address so might not come from my ISP after all. I changed DNS and started using DNScrypt again.
It's dangerous, I think, to call this "email encryption". Yes, it does secure login credentials from intermediaries. But email is fundamentally insecure. All mailservers can see metadata and other plaintext, even if connections among them are encrypted. GnuPG is great for what it is, but it's a bandaid.
We need email that's secure by design. Maybe the Dark Mail initiative will do it. Services like Countermail, and recent startups like Protonmail etc, are great too. But they're proprietary, and don't play well together.
Maybe email itself is no longer relevant. Better might be a cross-platform version of TextSecure, or Pond.
In those carefree, happy days of 70s, the researchers of the early e-mail service did not give a damn for encryption or authentication.
Did they not care? Or they did care but DARPA did not allow such things to be added to early protocol implementations?
And now, whe have this mess where things are tried to fix by adding layer after layer of new stuff to old, insecure protocol.
Edit: And of course, it's just not SMTP. All the still currently used protocols are basically insecure. By design.
plain SMTP: no encryption, for clients authentication send in cleartext, no authentication for server-to-server
plain POP3: no encryption, authentication send in cleartext
plain IMAP: no encryption, authentication send in cleartext
plain DNS: no encryption, no authentication
plain HTTP: no encryption, only authentication is laughtably easy to crack base64
plain FTP: no encryption, authentication send in cleartext
Um, can't know for sure but this may be much ado about very little. The article cited in the OP is based on an article on the Goldeb Frog Blog.
That article stated it had been based on an article published on TechDirt https://www.techdirt.com/blog/netne...cryption-make-everyone-less-safe-online.shtml
It further noted that the Golden Frog article gathered a fair amount of attention and received questions from the press (including the Washington Post).
As reported by the Washington Post the issue involved only SOME customers of ONE popular prepaid-mobile company Cricket
The Washington Post further noted that: "Golden Frog told The Washington Post that Cricket... said its testing found that the problem ended shortly after the TechDirt article was published."
So yeah there is a potential issue out there but at the present time it appears that the cause was inadvertent and only affected some customers of one company and that the issue was resolved shortly after it became aware of it.
If you want to ponder upon something that puts everything into proper perspective consider this for a moment:
"Astronomers find a shockingly ancient black hole the size of 12 billion suns.....
Some 12.8 billion light years away, astronomers have spotted an object of almost impossible brightness — the most luminous object ever seen in such ancient space. It's from just 900 million years after the big bang, and the old quasar — a shining object produced by a massive black hole — is 420 trillion times more luminous than our sun.
Try and get your head around that
I'm rather fascinated by the not-too-distant black hole at our galaxy's center, in Sagittarius A.
If that jet were pointing our way, we'd be toast.
That's true for the application level protocols, which means that people have to roll their own stack onto TCP - which will increasing be the case, as we've seen. Of course TCP has its moments too, but they can be remedied. The other two aspects of this dismal scene are the CA/certificate disasters, and the untrustworthiness of ISPs and "private" circuit providers. Oh, and the "terrifically weak" clients. Three things....
I love all the astronomy stuff, beautiful, and it also make me feel weary and dismal at the tawdry behaviour of governments and corporates attacking our privacy.
Agreed, not only those email protocols but most of those old protocols are not secure by dusign, and so patch after patch.
I wonder why DNSCyprt still persisted in DNS protocol, maybe they didn't need to.
But since those protocols are quite prevalent, nobody tries to replace them? Just a guess...
Yeah, I like astronomy things too, looking at heaven in night and you can temporary forget all those human related fuss, too tiny and absurdly compared to billions scale universe. Then come back to those "reals"...
Separate names with a comma.