ISPs Removing Their Customers' Email Encryption

Discussion in 'privacy problems' started by MrBrian, Nov 11, 2014.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks:
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    That is truly evil :thumbd:
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    How disappointing!!
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
  5. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    The ISPs removing their customers encryption is sort of similar to what the FCC is saying about what Obama wants for the law on Net Neutrality. Basically the FCC is saying they don't have to lesson to Obama and say it is up to the ISPs and it is up to the Senate to write the laws and the Senate seems to be backing what the ISPs Want. The removing of the ISPs customers encryption is part of the ISPs overall anti-comsumer/privacy stance
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    I know that for the masses the hope for is an easy "hand held" encryption scheme where the user does nothing additional. In order for that to ever exist the control of how it happens is left to the "cloud/provider gods". Unfortunately I don't believe the folks in mass will ever assume control for themselves and encrypt at the machine level (e.g. PGP). If they would handle it locally, then the transmissions couldn't be "tampered with" while in route.

    In fact I would say that "those" folks will never read this thread either. Know what I mean?
     
  7. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    This throws a Spanner into Google's plans to write a encryption extension
     
  8. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    Why aren’t more news organizations protecting their e-mail with STARTTLS encryption?

    -- Tom
     
  9. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    105
    One of the reasons I don't use starttls ever when contacting my mail server and sending mail.
    Just direct enforced encryption with deprecated port 465 when sending (don't care what IANA says, I still use it).
    And for reading my mail IMAPS (port 993)
    That should (in theory) prevent my ISP from stealing my login credentials.

    So there has already been unofficial, mandatory client-to-server encryption for ages.

    What is needed is also enforced server-to-server encryption, where encryption handshake is started immediately, without any "may I pretty, please?" upgrading from plaintext to encrypted.
     
  10. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    Gmail uses Port 993/465 doesn't seem to stop this one spammer who sends his spam from a ISP address, address might be spoofed since he changes address so might not come from my ISP after all. I changed DNS and started using DNScrypt again.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    It's dangerous, I think, to call this "email encryption". Yes, it does secure login credentials from intermediaries. But email is fundamentally insecure. All mailservers can see metadata and other plaintext, even if connections among them are encrypted. GnuPG is great for what it is, but it's a bandaid.

    We need email that's secure by design. Maybe the Dark Mail initiative will do it. Services like Countermail, and recent startups like Protonmail etc, are great too. But they're proprietary, and don't play well together.

    Maybe email itself is no longer relevant. Better might be a cross-platform version of TextSecure, or Pond.
     
  12. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    105
    I agree.
    In those carefree, happy days of 70s, the researchers of the early e-mail service did not give a damn for encryption or authentication.

    Did they not care? Or they did care but DARPA did not allow such things to be added to early protocol implementations?
    Who knows....

    And now, whe have this mess where things are tried to fix by adding layer after layer of new stuff to old, insecure protocol.

    Edit: And of course, it's just not SMTP. All the still currently used protocols are basically insecure. By design.

    plain SMTP: no encryption, for clients authentication send in cleartext, no authentication for server-to-server
    plain POP3: no encryption, authentication send in cleartext
    plain IMAP: no encryption, authentication send in cleartext
    plain DNS: no encryption, no authentication
    plain HTTP: no encryption, only authentication is laughtably easy to crack base64
    plain FTP: no encryption, authentication send in cleartext
    etc.........
     
    Last edited: Feb 25, 2015
  13. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
    Um, can't know for sure but this may be much ado about very little. The article cited in the OP is based on an article on the Goldeb Frog Blog.

    http://www.goldenfrog.com/blog/fcc-must-prevent-isps-blocking-encryption

    That article stated it had been based on an article published on TechDirt https://www.techdirt.com/blog/netne...cryption-make-everyone-less-safe-online.shtml

    It further noted that the Golden Frog article gathered a fair amount of attention and received questions from the press (including the Washington Post).

    As reported by the Washington Post the issue involved only SOME customers of ONE popular prepaid-mobile company Cricket

    The Washington Post further noted that: "Golden Frog told The Washington Post that Cricket... said its testing found that the problem ended shortly after the TechDirt article was published."

    http://www.washingtonpost.com/blogs...pts-to-send-encrypted-e-mails-research-finds/

    So yeah there is a potential issue out there but at the present time it appears that the cause was inadvertent and only affected some customers of one company and that the issue was resolved shortly after it became aware of it.

    If you want to ponder upon something that puts everything into proper perspective consider this for a moment:

    "Astronomers find a shockingly ancient black hole the size of 12 billion suns.....

    Some 12.8 billion light years away, astronomers have spotted an object of almost impossible brightness — the most luminous object ever seen in such ancient space. It's from just 900 million years after the big bang, and the old quasar — a shining object produced by a massive black hole — is 420 trillion times more luminous than our sun.

    Try and get your head around that :)

    http://www.washingtonpost.com/news/...ack-hole-the-size-of-12-billion-suns/?hpid=z5
     
    Last edited: Feb 25, 2015
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I'm rather fascinated by the not-too-distant black hole at our galaxy's center, in Sagittarius A.
    http://www.univearths.fr/en/echoes-multiple-outbursts-sagittarius-revealed-chandra
    http://chandra.harvard.edu/photo/2013/sgra/

    If that jet were pointing our way, we'd be toast.
     
  15. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    That's true for the application level protocols, which means that people have to roll their own stack onto TCP - which will increasing be the case, as we've seen. Of course TCP has its moments too, but they can be remedied. The other two aspects of this dismal scene are the CA/certificate disasters, and the untrustworthiness of ISPs and "private" circuit providers. Oh, and the "terrifically weak" clients. Three things....

    I love all the astronomy stuff, beautiful, and it also make me feel weary and dismal at the tawdry behaviour of governments and corporates attacking our privacy.
     
  16. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Agreed, not only those email protocols but most of those old protocols are not secure by dusign, and so patch after patch.
    I wonder why DNSCyprt still persisted in DNS protocol, maybe they didn't need to.
    But since those protocols are quite prevalent, nobody tries to replace them? Just a guess...

    Yeah, I like astronomy things too, looking at heaven in night and you can temporary forget all those human related fuss, too tiny and absurdly compared to billions scale universe. Then come back to those "reals"...
     
Loading...