Posted By: ITWiser Webmaster - Yorkshire's IT Specialists
Posted By: IT Wiser
Is Your Encrypted E-Mail Really Encrypted? Maybe Not
When you send off encrypted e-mail to a vendor overseas, you expect the security measures your company has in place will ensure the e-mail is not intercepted and read by anyone other than the person for whom it is intended. However, your expectations and reality do not always meet eye-to-eye. In fact, encrypted e-mails being sent from your server may be tampered with, according to research conducted by the Electronic Frontier Foundation (EFF).
News reports from the tech world are saying the EFF is reporting incidents in both the US and Thailand involving ISPs stripping encrypted e-mail of the STARTTLS tag intended to make server-to-server communications secure. In so doing, these ISPs are sending and receiving e-mail as plain text across the open world of the Internet. Anyone with even a minor amount of hacking experience can take advantage of this obvious lack of security.
The justification for removing the STARTTLS tag is unclear. Nevertheless, the EFF has labelled the action as a ‘double violation’ inasmuch as companies are not only exposing their customers e-mail to security breaches, they are also violating the trust those customers have placed in them to provide proper security. The EFF is demanding that ISPs engaging in the practice cease and desist immediately.
Why It Matters
E-mail protected with the STARTTLS tag enjoys the additional protection of certain meta-tag data not covered by other security protocols. Moreover, because it is a server-to-server protocol, it can be implemented at the service provider level without any changes at the customer level. Yet STARTTLS has two major flaws:1. e-mail sent with the tag can be accessed and read by owners of the servers on either end; and
2. the STARTTLS tag itself is not encrypted, making easily removable.
Security experts say the best system is one that combines STARTTLS with PGP or S/MIME. Nonetheless, if ISPs were stripping the STARTTLS tag from e-mails, it would not make any difference which combination was used. In the end, it is the responsibility of the individual customer to check with ISP providers to find out their policies regarding e-mail encryption. ITWiser also recommends an external security audit as well.
External Security Audit
An external security audit from ITWiser helps to identify security weaknesses at the ISP level. We use a number of different hacking tools to simulate how others might try to get into your network in order to steal data, install malware on your computers, and so on. You can use the information from our audit report to strengthen your network and introduce new security protocols.
The fact that ISPs in the US and Thailand are interfering with encrypted e-mails means it is likely happening elsewhere as well. You cannot afford to allow your business to be exposed as a result of this careless and unnecessary practice. Take the steps now to ensure the security measures you put in place are not being compromised by your ISP. If we can help you with an external security audit, by all means contact us right away.