ISPs Stripping Encryption from Personal MailsNovember 14, 2014 – 5:26 AM
The Electronic Frontier Foundation (EFF), an internet freedom watchdog group, is reporting that for the past few months, some ISPs in the US and Thailand have been caught removing encryption from customers’ emails, by stripping a security flag called STARTTLS from the messages.
The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client. By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the sending server will proceed to transmit plaintext email over the public Internet, where it is easily subject to eavesdropping and interception.
One example, according to Golden Frog, is Cricket Wireless. The personal VPN service provider noted in filings with the FCC that its analysis showed that Cricket was interfering with its users’ ability to encrypt their SMTP email traffic by “overwriting the content of users’ communications and actively blocking STARTTLS encryption. This is a man-in-the-middle attack that prevents customers from using the applications of their choosing and directly prevents users from protecting their privacy.”
Cricket has since stopped doing this, the firm said. For its part, Cricket has not issued a public statement on the accusation.
But the move to block encryption, if proven true, clearly belies the basic principles of a free, open and unencumbered internet—and the privacy implications are, of course, myriad.