Some ISPs are removing encryption from customers' connections to email servers – threatening the privacy of their communications – claims civil-liberties group the Electronic Frontier Foundation.
The STARTTLS flag is used by email software to request encryption during the process of talking to another server or client.
Without this flag, email is sent in the clear, as a blog post by the Electronic Frontier Foundation (EFF) explains.
By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls... do this in order to monitor for spam originating from within their network and prevent it from being sent.
Unfortunately, this causes collateral damage: the sending server will proceed to transmit plain text email over the public internet, where it is subject to eavesdropping and interception.
STARTTLS stripping attacks have mostly gone unnoticed because they tend to be applied to residential networks, where it is uncommon to run an email server. Since late 2013, many of the biggest email providers (including Google) have implemented STARTTLS to protect their customers, a development that has increased usage of the technology and therefore increased the importance of its surreptitious removal by some ISPs.
Privacy advocates at the EFF compare STARTTLS stripping to Verizon's recently uncovered tampering with its customer's web requests to inject a tracking cookie.
Service providers stripping STARTTLS may be sniffing email or even running man-in-the-middle attacks. The practice may be a form of housekeeping of sorts, under more charitable interpretations. Whatever the reasons the practice is wrong and needs to stop, according to the EFF senior staff technologist Jacob Hoffman-Andrews.
"It is important that ISPs immediately stop this unauthorised removal of their customers' security measures," he writes. "ISPs act as trusted gateways to the internet and it is a violation of that trust to intercept or modify client traffic, regardless of what protocol their customers are using."
"It is a double violation when such modification disables security measures their customers use to protect themselves," he added.