People ask me why I run my own e-mail server. The answer is simple, I’m in total control of it from every aspect including security. Now most people have to rely on their ISP for e-mail and that means that you have to trust them. However the Electronic Frontier Foundation has found that you may not want to trust your ISP. Here’s what they posted:
Recently, Verizon was caught tampering with its customer’s web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reportedISPs in the US and Thailand intercepting their customers’ data to strip a security flag—called STARTTLS—from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.
By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco’s PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
Lovely. But let me point something out here. If you send or receive e-mail, you have to assume that anyone can read it regardless of what encryption you think you have on it. So with that out of the way, let me explain the above in a non-nerdy way. Stripping out the STARTTLS flag may mean that you can’t authenticate to the mail server over an encrypted channel. Now some individuals also set an option that tells their e-mail clients that encryption is preferred, but not required, which they assume to be sufficient because they believe their mail server is encrypted. But it’s not sufficient. When those individuals use an ISP that strips out STARTTLS, they are transmitting authentication data in plain text for anyone to see. Of course this ignores the fact that nobody should be using STARTTLS in the first place as it’s not a great method of security for e-mail.
Fortunately, you do have options to protect yourself.
On my mail server, I set it up so that an authenticated connection’s required for any outgoing users e-mail to through it. Encryption’s required before the client can authenticate. The IMAP server also requires encryption and won’t accept unencrypted connections. Now I host my mail server in a datacenter so it has almost direct access to the Internet. But if someone were to do anything that disables encryption, anytime I try to send an e-mail will result in errors being generated. That’s my clue that something is up that I need to look at. I’d recommend all mail servers be configured this way.
Now if you don’t run your own mail server, which would be most of the people reading this, there is something that you can do to protect yourself. You should setup your e-mail client to submit mail on port 465 (SMTPS) or 587 (SMTP). While you’re at it, you should receive e-mail on port 995 (POP3S). This assumes that your mail server supports this. Most of them do, but they don’t tell anyone. You should ask your ISP for more details.
Related
This entry was posted on November 12, 2014 at 3:13 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
ISPs Caught Disabling Encryption From Customers E-Mail Accounts
People ask me why I run my own e-mail server. The answer is simple, I’m in total control of it from every aspect including security. Now most people have to rely on their ISP for e-mail and that means that you have to trust them. However the Electronic Frontier Foundation has found that you may not want to trust your ISP. Here’s what they posted:
Recently, Verizon was caught tampering with its customer’s web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reportedISPs in the US and Thailand intercepting their customers’ data to strip a security flag—called STARTTLS—from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1
By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco’s PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
Lovely. But let me point something out here. If you send or receive e-mail, you have to assume that anyone can read it regardless of what encryption you think you have on it. So with that out of the way, let me explain the above in a non-nerdy way. Stripping out the STARTTLS flag may mean that you can’t authenticate to the mail server over an encrypted channel. Now some individuals also set an option that tells their e-mail clients that encryption is preferred, but not required, which they assume to be sufficient because they believe their mail server is encrypted. But it’s not sufficient. When those individuals use an ISP that strips out STARTTLS, they are transmitting authentication data in plain text for anyone to see. Of course this ignores the fact that nobody should be using STARTTLS in the first place as it’s not a great method of security for e-mail.
Fortunately, you do have options to protect yourself.
On my mail server, I set it up so that an authenticated connection’s required for any outgoing users e-mail to through it. Encryption’s required before the client can authenticate. The IMAP server also requires encryption and won’t accept unencrypted connections. Now I host my mail server in a datacenter so it has almost direct access to the Internet. But if someone were to do anything that disables encryption, anytime I try to send an e-mail will result in errors being generated. That’s my clue that something is up that I need to look at. I’d recommend all mail servers be configured this way.
Now if you don’t run your own mail server, which would be most of the people reading this, there is something that you can do to protect yourself. You should setup your e-mail client to submit mail on port 465 (SMTPS) or 587 (SMTP). While you’re at it, you should receive e-mail on port 995 (POP3S). This assumes that your mail server supports this. Most of them do, but they don’t tell anyone. You should ask your ISP for more details.
Share this:
Like this:
Related
This entry was posted on November 12, 2014 at 3:13 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.