Protect your security from ISPs stripping email encryption

Cricket Engineers at Golden Frog recently discovered that Cricket wireless was automatically disabling their email encryption.

It is not at all clear why they were doing this, but we do know how. When an email client attempts to make a secure connection to a server, it sends a STARTTLS command. If the server never sees the STARTTLS, then it assumes you just wanted an insecure connection.

The ISP can easily modify the data stream to remove the request, causing your computer to connect without any encryption. According to the standard, the user is supposed to get a warning about this, but in practice almost all software just fails silently.

The best way to protect yourself against this attack is to encrypt your email end to end. You can use SMIME, which is built into most email clients, or GPG. GPG can be stronger, but it is harder to use, and easy to misuse. Either will significantly improve your security.

The next step is to use a VPN like to protect you against your ISP. It will also protect you against anyone else in the path between your computer and your VPN service. Unfortunately between them and the destination server, you are still vulnerable to any hostile ISPs.


Some other articles on this attack: Arstechnica, & The Washington Post

Also read:

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on FacebookTwitter, and Google+.

Gmail plugin enables tracking when and where you open your email.

Email in crosshairs A Stranger Can Find Out Where You Are By Getting You To Open An Email - On The Media

The ability to use remotely loaded images in HTML emails for tracking has been known for years, but perhaps not widely known.

The On The Media: TLDR podcast just re-surfaced the issue in the above article, where they talk about a free Gmail plugin called Streak, which provides this capability.

It automatically embeds the hidden images in emails you send, then lets you see when and even where the recipient opens them.

Because they appear to use IP address based locations, you can block the “where” part by using Anonymizer Universal.

You can block this tracking completely by turning off the loading of images in your emails. Of course, if you then choose to load images, know that you are also enabling tracking. If you block image loading you will also find that your email become much less attractive and significantly more difficult to read.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Will a warrent be required to access your email.

Email Privacy Hearing Set To Go Before The House On Tuesday | WebProNews

The House Judiciary Committee is going to be discussing the Electronic Communications Privacy Act. There is a chance that they will strengthen it.

This act was written decades ago, before there were any real cloud solutions. Email was downloaded by your email client, and immediately deleted from the server. They law assumed that any email left on a server more than 180 days had been abandoned, and so no warrant was required for law enforcement to obtain it.

These days, with services like gmail, we tend to keep our email on the servers for years, with no thought that it has been abandoned. Law enforcement is opposing reforms of this law because it would make their work more difficult. Doubtless it would, as does almost any civil liberty.

Earlier this month Zoe Lofgren introduced the Online Communications and Geolocation Protection act, amending ECPA. It would require a warrant to obtain cell phone location information. There is clearly some momentum for reform.

Facebook tries to force you to use their email

Forbs recently noticed that Facebook suddenly and basically without warning made your default visible email address on your timeline.

I had no idea that such an email address even existed! I certainly don't check it explicitly. Emails to that address end up in your standard Facebook messages queue, which for me is mostly a black hole.

LifeHacker has a nice article on how to change the settings back to how you might want them.

You may not want some spammer to get that address and start filling up your Facebook messages queue.

Big public email database with some interesting efforts at privacy launched this month

The press release linked at the bottom of this post is for a new website called While I normally ignore most of the PR blasts sent to this blog, this one seemed worth posting because of the interesting realities and conflicts it exposes. The idea is that you can use their database to find and email people. Their database contains 68.8 million email addresses, a huge number but only a fraction of all US email addresses. Given that many such databases exist, it seems inevitable that someone would set up a service like this.

On the positive side, they are doing a few different things to try to minimize abuse. First, they are limiting users to 5 message per day (although it is not clear how that is enforced). Second, they provide some general address location information about all the name matches to make it more likely that you are going to email the correct person. Finally, they don't actually give you the recipients email address.

This last step is the most interesting. They allow you to write your email in a web form, then send it for you without revealing the recipients address to you. Of course it will be possible to abuse this, but probably not in any way that is not already widely possible. I also assume that this company keeps copies of the emails and adds your name and return address to their database. This is about protecting recipient privacy, not sender privacy.

On the whole, I am not happy that such services exist at all. I use social networking sites to make contact with me by strangers possible but only in the manner of my choosing. I don't want random people sending messages to my personal or work email addresses. Imagine a distributed attack by members of Anonymous or LulzSec all sending 5 emails each to some victim. Of course the odds are that any attacker would have little difficulty in discovering the victim's address through other means and then would not have any effective limit to the number of emails sent.

This may also turn out to be an unfortunate service for people who share a name with a celebrity. Interestingly, for people the service finds where it does not have an email address in the database, a paid ad refers you to where you can pay a couple of dollars to get the real address without any privacy features.

At the end of the day, the good news is that this company is making a significant effort to pay attention to the privacy implications of their service.

First-Ever Free Email Directory With Added Privacy Protection -- JACKSONVILLE, Fla., June 21, 2011 /PRNewswire/ --


Using Language Patterns to Pierce Anonymity

Thanks to Bruce Schneier for linking to this interesting article on using patterns in language to identify the author of emails. While the technique would not allow them to identify your anonymous emails in an ocean of others, that is rarely the real world threat scenario.

In many cases there is a relative hand full of likely authors of a given email or group of emails. It is often possible to gather large samples of emails known and acknowledged to be from the likely authors. In that case this technique has a small group of targets and excellent training materials which allow for very high levels of accuracy (the authors of the paper claim 80% - 90%). That is probably enough to get a warrant to search your home and computers.

Unless you have been unusually careful, the gig is probably up by then. Remember, this might not be for criminal matters. It many cases this would come up in whistle blowing or other non-criminal situations.