Net neutrality and how ISPs can impact your email security

by Bharat Suneja

There was a time ISPs limited themselves to providing layer 3 connectivity. You got a connection, and if the link was up and your computer or network configured correctly for Internet Protocol (IP) communication, you could send and receive TCP/IP packets over that link. The ISP controlled the bandwidth, which is the maximum rate at which packets would travel over the link. ISPs didn’t control or seem to care about the total amount of data transferred, the kind of traffic “on the wire” (such as, SMTP, HTTP, FTP, or an audio or video stream), the content or whether it was encrypted.

Over the years, with each round of consolidation in telecom (and cable) we’ve seen reduced competition in most markets. No wonder service providers are flexing their muscles and exerting more control over network traffic. Some examples:

  • Many service providers block certain ports or certain types of traffic that indicates business use – for example, an SMTP mail server or a web server. No business traffic on the “consumer web”.
  • AT&T has been sued by the FTC for illegally throttling customers with unlimited data plans. Although AT&T and other carriers don’t offer them any more, customers who had unlimited plans were grandfathered.
  • As widely reported, service providers are throttling certain content streams such as Netflix video, slowing down consumer traffic on the consumer web. Also as widely reported, Netflix is paying Comcast, Verizon & AT&T a toll to speed up its traffic. As Netflix explains, these are not the normal interconnect charges paid to transit carriers which typically carry traffic over long distances, but a toll to deliver traffic to customers on these carriers.

    Imagine if you had to pay an extra fee for speeding up your email to some networks or domains – besides what you already pay for Internet connectivity to your ISP.

  • Verizon and AT&T are tracking their users with ‘supercookies’ to collect information, including web sites visited. This enables them to profile users’ tastes and interests and use, sell or otherwise make this info available for targeted advertising. How’s that different from what Google does? Google’s services are free to consumers, but carriers charge you for Internet connectivity and should have no business tracking you or inspecting your traffic! Additionally, as the Washington Post reports:

    Consumers cannot erase these supercookies or evade them by using browser settings, such as the “private” or “incognito” modes that are popular among users wary of corporate or government surveillance.

There’s a general outcry over lack of Net neutrality, which requires that all lawful Internet traffic be treated equally. Whether we actually get meaningful laws to prevent ISP overreach remains to be seen.

How your ISP can remove your message security by preventing encryption

The Electronic Frontier Foundation (EFF) highlights the case of a mobile carrier Cricket preventing encrypted SMTP email traffic from an engineer at Golden Frog. I must admit, I hadn’t thought about this possibility, or a service provider’s ability to impact your organization’s security by preventing secure communication. How do they do this? By blocking the STARTTLS verb in SMTP communication.

Although most mail servers, including Microsoft Exchange, allow you to enforce TLS encryption (and use mutual TLS authentication, which uses certificates for authentication), most organizations continue to use opportunistic TLS, which involves the client sending the STARTTLS command to the SMTP server, volunteering to start communicating over a TLS-encrypted channel.

With TLS encryption taken out of the equation, the SMTP client and server can (and most do) continue their communication in the clear.

But the ISP is peeping into the application layer! In effect, it’s snooping on SMTP traffic to block STARTTLS – in security terms, a Man-In-The-Middle attack.

This may be an isolated incident, and the situation has returned to normal with STARTTLS working or being allowed again by the ISP. But if the questions remain unanswered, other ISPs may adopt similar methods.

As Golden Frog’s recent FCC filing shows, without any regulation to prevent such behaviour, service providers will go further in controlling and throttling traffic. Here’s what you can do.

{ 2 comments… read them below or add one }

Michel November 19, 2014 at 2:50 am

I remember having problems with encrypted email some years back.
It turned out that a Cisco 2811 router was altering the SMTP traffic to not allow SSL negotiation.
The block caused this error: ssl error 0x80090308
I had to change a setting which was disabled by default.

Reply

Bharat Suneja November 19, 2014 at 4:24 pm

Plenty of issues with Pix firewalls and MailGuard as well listed here.

Reply

Leave a Comment

Previous post:

Next post: