Ever since 2013, when the Electronic Frontier Foundation started shaming email providers that did not encrypt their customers' email, more and more mail providers have turned on STARTTLS, which protects email in transit from snooping, without requiring users to take any additional steps.
But ISPs in the USA and Thailand have been caught sabotaging STARTTLS, interrupting the negotiation between mail-servers to prevent the encryption bit from being turned on, leaving millions of peoples' email liable to snooping by crooks, governments, spies and others.
In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag—called STARTTLS—from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1
By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
ISPs Removing Their Customers' Email Encryption
[Jacob Hoffman-Andrews/EFF]
(Image: uncle sam wants your privacy, Jeff Schuler, CC-BY)
