The Privacy BlogPrivacy, Security, Cryptography, and Anonymity



Protect your security from ISPs stripping email encryption


Engineers at Golden Frog recently discovered that Cricket wireless was automatically disabling their email encryption.

It is not at all clear why they were doing this, but we do know how. When an email client attempts to make a secure connection to a server, it sends a STARTTLS command. If the server never sees the STARTTLS, then it assumes you just wanted an insecure connection.

The ISP can easily modify the data stream to remove the request, causing your computer to connect without any encryption. According to the standard, the user is supposed to get a warning about this, but in practice almost all software just fails silently.

The best way to protect yourself against this attack is to encrypt your email end to end. You can use SMIME, which is built into most email clients, or GPG. GPG can be stronger, but it is harder to use, and easy to misuse. Either will significantly improve your security.

The next step is to use a VPN like to protect you against your ISP. It will also protect you against anyone else in the path between your computer and your VPN service. Unfortunately between them and the destination server, you are still vulnerable to any hostile ISPs.


Some other articles on this attack: Arstechnica, & The Washington Post

Also read:

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on FacebookTwitter, and Google+.

· · · · · ·


  • Sumit · August 11, 2016 at 6:30 am

    I don’t have immense knowledge about SMIME but I will surely study about this in deep. You mentioned that we are still vulnerable to any hostile ISPs between VPN and destination server. How is that possible if we use virtual private network?


    • Author comment by lance · August 11, 2016 at 9:59 am

      If the server you are reaching is out on the public Internet, then the VPN will not provide end to end protection. The VPN will only extend from your computer to the VPN server. From there to the destination it will be like any other connection. This is a different situation to using a VPN to connect to a server in an office network. There the server is generally not public and is on the same presumably safe network as the VPN server.


Leave a Reply