The Electronic Frontier Foundation (EFF), an internet freedom watchdog group, is reporting that for the past few months, some ISPs in the US and Thailand have been caught removing encryption from customers’ emails, by stripping a security flag called STARTTLS from the messages.
The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client. By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the sending server will proceed to transmit plaintext email over the public Internet, where it is easily subject to eavesdropping and interception.
One example, according to Golden Frog, is Cricket Wireless. The personal VPN service provider noted in filings with the FCC that its analysis showed that Cricket was interfering with its users’ ability to encrypt their SMTP email traffic by "overwriting the content of users’ communications and actively blocking STARTTLS encryption. This is a man-in-the-middle attack that prevents customers from using the applications of their choosing and directly prevents users from protecting their privacy.”
Cricket has since stopped doing this, the firm said. For its part, Cricket has not issued a public statement on the accusation.
But the move to block encryption, if proven true, clearly belies the basic principles of a free, open and unencumbered internet—and the privacy implications are, of course, myriad.
“It is important that ISPs immediately stop this unauthorized removal of their customers' security measures,” the EFF said, in a blog. “ISPs act as trusted gateways to the global internet and it is a violation of that trust to intercept or modify client traffic, regardless of what protocol their customers are using. It is a double violation when such modification disables security measures their customers use to protect themselves.”
There is no legitimate purpose for removing the tag on the part of the ISP, according to security researchers. In corporate environments, servers sometimes strip it in order to monitor for spam originating from within the network and prevent it from being sent. Residential scenarios are a different story.
“I cannot think of a single valid reason for a mail server to refuse STARTTLS,” said Steve Hultquist, chief evangelist at RedSeal, in an email to Infosecurity. “I can also not think of a single innocent intention that would cause a service provider to interrupt a communication session to artificially deny the STARTTLS in order to force the mail client to use clear text communications that could then be read by the service provider. The lack of valid engineering reasons makes this situation deeply disturbing.”
Such a move would hand over internet users to cybercriminals almost on a silver platter, because the phenomenon goes largely undetected by end users. Also, most users will not have the knowledge or know-how to make sure their client doesn't accept the downgrade.
“Users should make sure that their mail client is set to fail when connecting to any server that rejects STARTTLS,” Hultquist said. “This situation once again underscores the complex interrelationships of networks, their operational team and users.”
He added, “Network users inherently trust service providers to deliver their bits undisturbed to the other end of their communication, and this action by some service providers reminds us that there are many ways to betray that trust.”
Image © Stuart Miles