Shamed By Google's Email Security Transparency Report, Comcast Is Rushing To Better Encrypt Emails
from the sunlight-to-disinfectant dept
Well, that was quick. Yesterday Google announced its new email security/encryption transparency report, which revealed that Comcast and Verizon were primary offenders, in not using TLS to encrypt emails, making them much more vulnerable to surveillance. And, in less than 24 hours, Comcast quickly said that it is rushing to roll out TLS, with a company spokesperson saying it will be out there "within a matter of weeks" and that the company is being "very aggressive about this." That's good to see. Once again, greater transparency leads to greater protection.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: email, encryption, tls
Companies: comcast, google
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
1. yes
2. some don't have a choice
[ link to this | view in thread ]
missing
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Of course, if either end is compromised, the content can be revealed at that end. This requires a targeted attack against a specific individual's hardware, and is a separate problem to guard against.
Good security comes in layers. At present, unless we are specifically targeted, most of our communications will be hugely better protected if end-to-end encryption is used.
[ link to this | view in thread ]
Oh right, out of all the computer users today, probably only 0.000000001% would know how to use them since it involves more than clicking a single button.
[ link to this | view in thread ]
Not when the hardware is compromised by design, straight from the factory - it's a *default* condition.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
With TLS that is between the user and the servers, and as Lavabit demonstrated the government will demand the keys. They will also justify that under the third party doctrine, as the servers are between the sender and the receiver and the data is given to the server company.
[ link to this | view in thread ]
TLS
In cases where TLS *is* begun, actually checking the poffered certificate is the exception, not the rule - some will actually check expiry or domain name match, almost none will verify the CA chain (so a self-signed is fine) - again, this makes interception easy.
Adding this step does help - it means that attackers need to perform an active attack replacing some or all of the traffic, rather than passively recording - but it isn't much more than a speed bump against a determined attacker with ISP router access.
[ link to this | view in thread ]
Re: TLS
If you connect directly via TLS this is not possible.
[ link to this | view in thread ]
Now if they took the time to make a 5-minute explanation on how to use PGP, *that* would be news.
It really isn't as hard as people make it out to be. It suffers from the same problem that basic math does; people's brains just shut down whenever it is mentioned, because they *think* it's hard.
[ link to this | view in thread ]
TLS for Web mail only and/or stand alone software?
[ link to this | view in thread ]
Comcast to better encrypt email
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
If we can't change people to fit their tools, we have to adapt the tools to fit the people.
This probably means a one-button "encrypt my email when possible" button as part of common email software. All details of private and public keys will have to be invisible by default.
To gain the necessary critical mass, we need to focus on getting the basic structure widely deployed. Then those willing and able to do more can work on improving security on their end.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Why competition is good and monopolies are bad.
[ link to this | view in thread ]