Internet service provider turned out to unlock mail encryption without permission

ByJimmy Smith

An Internet service provider is a company that provides a connection environment to the Internet. In JapanOCNYaYahoo! BB,Eo,BIGLOBEThere are such. It was revealed that the Internet service provider, an indispensable existence to connect to the Internet, had decrypted the encrypted customer 's mail without permission.

ISPs Removing Their Customers' Email Encryption | Electronic Frontier Foundation
https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks


According to surveys in the past few months, the Internet and Thai Internet service providers have developed "STARTTLS"It was discovered that the encryption was canceled and the customer's data was intercepted.

STARTTLS is to request encryption from the e-mail server when communicating with other servers and clients,End to endEncryption is done withPGPUnlike encryption, it is done only between servers. By invalidating this STARTTLS, the Internet service provider will decrypt the encrypted mail or encrypted mail that the e-mail server should encrypt.

ByRoland Tanglao

And it is also known that "The reason why encryption has been released?" Is caused by the firewall. CiscoPIX / ASASeveral firewalls, including watching email to locate spam sources and prevent them from being sent to regular users. These firewalls seem to have fallen into the situation that the user's mail encryption is canceled arbitrarily by invalidating STARTTLS to check mails.

The phenomenon that STARTTLS is invalidated, that is, the encryption of the mail is canceled remained almost unnoticed until now. This is because this phenomenon often occurs on the network of the home etc., as it is the "unusual event" that a large-scale situation occurs in the mail server like this time.

ByTripp

Until 2013, STARTTLS was an unusual cipher system. However, as the Electronic Frontier Foundation began to appreciate the companies that adopt this encryption scheme in 2013, many companies have adopted STARTTLS. As a result, it seems that many e-mail providers now use STARTTLS to encrypt customer's e-mail, Jacob Hoffman-Andrews, technical staff of the Electronic Frontier Foundation, said, "Internet service providers are unauthorized It is very important to immediately stop canceling mail encryption. "

If you want to check whether your mail server is using STARTTLS, you can check it from the following page.

STARTTLS.info