Net neutrality and how ISPs can impact your email security

by Bharat Suneja on November 18, 2014

There was a time ISPs limited themselves to providing layer 3 connectivity. You got a connection, and if the link was up and your computer or network configured correctly for Internet Protocol (IP) communication, you could send and receive TCP/IP packets over that link. The ISP controlled the bandwidth, which is the maximum rate at which packets would travel over the link. ISPs didn’t control or seem to care about the total amount of data transferred, the kind of traffic “on the wire” (such as, SMTP, HTTP, FTP, or an audio or video stream), the content or whether it was encrypted.

Over the years, with each round of consolidation in telecom (and cable) we’ve seen reduced competition in most markets. No wonder service providers are flexing their muscles and exerting more control over network traffic. Some examples:

  • Many service providers block certain ports or certain types of traffic that indicates business use – for example, an SMTP mail server or a web server. No business traffic on the “consumer web”.
  • AT&T has been sued by the FTC for illegally throttling customers with unlimited data plans. Although AT&T and other carriers don’t offer them any more, customers who had unlimited plans were grandfathered.
  • As widely reported, service providers are throttling certain content streams such as Netflix video, slowing down consumer traffic on the consumer web. Also as widely reported, Netflix is paying Comcast, Verizon & AT&T a toll to speed up its traffic. As Netflix explains, these are not the normal interconnect charges paid to transit carriers which typically carry traffic over long distances, but a toll to deliver traffic to customers on these carriers.

    Imagine if you had to pay an extra fee for speeding up your email to some networks or domains – besides what you already pay for Internet connectivity to your ISP.

  • Verizon and AT&T are tracking their users with ‘supercookies’ to collect information, including web sites visited. This enables them to profile users’ tastes and interests and use, sell or otherwise make this info available for targeted advertising. How’s that different from what Google does? Google’s services are free to consumers, but carriers charge you for Internet connectivity and should have no business tracking you or inspecting your traffic! Additionally, as the Washington Post reports:

    Consumers cannot erase these supercookies or evade them by using browser settings, such as the “private” or “incognito” modes that are popular among users wary of corporate or government surveillance.

There’s a general outcry over lack of Net neutrality, which requires that all lawful Internet traffic be treated equally. Whether we actually get meaningful laws to prevent ISP overreach remains to be seen.

How your ISP can remove your message security by preventing encryption

The Electronic Frontier Foundation (EFF) highlights the case of a mobile carrier Cricket preventing encrypted SMTP email traffic from an engineer at Golden Frog. I must admit, I hadn’t thought about this possibility, or a service provider’s ability to impact your organization’s security by preventing secure communication. How do they do this? By blocking the STARTTLS verb in SMTP communication.

Although most mail servers, including Microsoft Exchange, allow you to enforce TLS encryption (and use mutual TLS authentication, which uses certificates for authentication), most organizations continue to use opportunistic TLS, which involves the client sending the STARTTLS command to the SMTP server, volunteering to start communicating over a TLS-encrypted channel.

With TLS encryption taken out of the equation, the SMTP client and server can (and most do) continue their communication in the clear.

But the ISP is peeping into the application layer! In effect, it’s snooping on SMTP traffic to block STARTTLS – in security terms, a Man-In-The-Middle attack.

This may be an isolated incident, and the situation has returned to normal with STARTTLS working or being allowed again by the ISP. But if the questions remain unanswered, other ISPs may adopt similar methods.

As Golden Frog’s recent FCC filing shows, without any regulation to prevent such behaviour, service providers will go further in controlling and throttling traffic. Here’s what you can do.


Choosing the right ultrabook: Asus Zenbook, Microsoft Surface Pro 3 and Lenovo Yoga 3 Pro

November 11, 2014

If you spend greater part of your workday on a notebook/ultrabook, selecting your primary work tool is as important as selecting race cars is to race car drivers and selecting cameras & lighting equipment is to photographers. Some obsess over it more than others. I confess to being firmly in the latter category. I won’t […]

More →

Microsoft makes Office 365 the cloud productivity service to beat

October 29, 2014

Pushed back from its normal summer schedule to early fall, Microsoft’s last TechEd conference TechEd Europe 2014 could have been a ho hum affair. Evidently, Microsoft had different plans. In a slew of announcements at TechEd Europe 2014 in Barcelona, Microsoft has raised the bar significantly to make Office 365, the cloud-based productivity service, an almost irresistible proposition […]

More →

Synchronize your PowerShell Profile with OneDrive

September 24, 2014

I make frequent changes to my PowerShell profile and like to have the same PowerShell envirnoment on all computers that I use PS from. To accomplish this, I used to copy the PowerShell profile to a folder on OneDrive (previously known as SkyDrive) and copy it back to the WindowsPowerShell folder on other computers – […]

More →

The Garage Series show from MEC 2014: What’s New in Exchange 2013 SP1…

May 7, 2014

I’ve been participating in the Garage Series shows with host Jeremy Chapman. Most shows are recorded live at Microsoft events such as TechEd, TechReady (an internal Microsoft technical event), Microsoft Exchange Conference (MEC) and Microsoft SharePoint Conference, on the road (some recent ones have been in Prague and Hong Kong). You can find the shows […]

More →

Connection Filtering and RBLs in Exchange 2013

April 17, 2013

Exchange 2003 and later have included Connection Filtering in its repertoire of built-in anitspam tools. In Exchange 2007 and Exchange 2010, this is implemented using the Connection Filtering agent, a transport agent. Connection Filtering agent offers the following functionality: IP Allow List and IP Block List: Static lists of IP addresses you can populate to […]

More →

Make Bing the default search engine in Firefox address bar

March 19, 2013

I like Bing for a number of reasons. If you don’t prefer Bing, this is not a sales pitch to make you change your search habits. I’ll leave that to the Bing team with BING IT ON, the Bing Challenge commercials et al. Bing offers a better user experience. I also believe Microsoft has better […]

More →

Windows PowerShell 3 Wins InfoWorld’s 2013 Technology Of The Year Award

January 15, 2013

Windows PowerShell 3 has won InfoWorld’s 2013 Technology of the Year award. Finally, InfoWorld editors have discovered what IT pros have known for a long time – PowerShell is simply the most powerful yet easy-to-use management tool out there on any platform! The third time is definitely the charm for PowerShell, which provides the engine […]

More →

Change mailbox audit logging age limit in Exchange 2010 and later

January 9, 2013

In Exchange 2010 and later, you can use Mailbox Audit Logging to enable auditing of mailboxes for actions taken by mailbox owners, delegates and administrators. You can log events such as mailbox access, folder access, item access, deletes, hard deletes, moves, etc. For details, see Mailbox Audit Logging in Exchange 2013 documentation. By default, mailbox […]

More →

Remove a mobile device from your Exchange account

December 20, 2012

Most users switch to new mobile devices or add new ones. Over a period of time, your Exchange mailbox may have quite a few mobile devices. If you’re not using a smartphone or other Exchange ActiveSync (EAS) device (including Windows 8/Windows RT tablets, Apple iPad or other iOS devices), you can remove it from your […]

More →