Sign up for our newsletter
Technology / Cybersecurity

EFF slams ISPs for customer email decryption

The Electronic Frontier Foundation (EFF) advocacy group has criticised ISPs for removing their customers’ email encryption.

The move follows reports from the security company Golden Frog who discovered that encrypted emails would not send over the Cricket Wireless network last month, with the encryption command StartTLS being masked out by the servers.

Jacob Hoffman-Andrews, senior staff technologist at EFF, said: "Some firewalls, including Cisco’s PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent.

"Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public internet, where it is subject to eavesdropping and interception."

White papers from our partners

He added that the problem had gone unnoticed because it tended to apply to residential networks, where email servers are rarely run, and also because StartTLS had been "relatively uncommon until late 2013".

The likes of Twitter, Yahoo and Facebook have all rolled out StartTLS this year, lauding the benefits of the technology to their customers’ privacy.

"It is important that ISPs immediately stop this unauthorized removal of their customers’ security measures," Hoffman-Andrews added.

"ISPs act as trusted gateways to the global Internet and it is a violation of that trust to intercept or modify client traffic, regardless of what protocol their customers are using."


This article is from the CBROnline archive: some formatting and images may not be present.