Story 2014-11-12 2V0A ISPs caught stripping STARTTLS from email

ISPs caught stripping STARTTLS from email

by
in security on (#2V0A)
Those evil ISPs are at it again:
Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag-called STARTTLS-from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1

By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
Although I wouldn't trust the content of your non-PGP email to ever be secure, this could potentially lead to your email account password being transmitted in-the-clear, depending on how your email client and server are configured.
Reply 4 comments

Yes but... (Score: 0)

by Anonymous Coward on 2014-11-12 14:45 (#2V0F)

Is there a condition in the T&C's giving these ISPs permission to intercept and modify users network traffic?

Re: Yes but... (Score: 2, Interesting)

by tanuki64@pipedot.org on 2014-11-12 14:59 (#2V0G)

And even if there is... is it valid? I don't know much about US laws, but e.g. in Germany there is a high probability that such an unexpected condition would be invalid. High probability =In court and on the high seas, a man's fate lies in god's hands.

Re: Yes but... (Score: 1, Informative)

by Anonymous Coward on 2014-11-13 00:08 (#2V17)

And even if there is... is it valid?
Not legally, not in the UK:
New s. 296ZG of the 1988 Act created new rights in respect of electronic rights management information metadata. The right is infringed by:

the person who knowingly removes electronic copyright management information which is associated with a copy of a copyright work, or appears in connection with the communication to the public of a copyright work;
the person who knowingly distributes or communicates to the public copies of a work from which electronic rights management information has been removed.
What does the DMCA have to say about such matters?

Fastmail (Score: 2, Interesting)

by zafiro17@pipedot.org on 2014-11-13 13:35 (#2V1M)

Interesting. I use Fastmail (fastmail.com, was fastmail.fm before last month) and they not only insist on SSL connection for IMAP but refuse to use StartTLS, and now I understand why. I didn't before. Too bad we're learning everything the hard way!

It pisses me off - you can no longer trust your machine, can't trust your connection, can't trust your ISP, and can definitely not trust your government. Now what? I'm off to buy a typewriter and kickstart a FIDOnet replacement via a RaspbPi node I can run from an underground bunker. We're going from bad to worse here.