As a sort of sequel to its highly successful HTTPS Everywhere campaign, the Electronic Frontier Foundation has initiated a STARTTLS Everywhere project to improve email security.
Unfortunately, this is likely to prove a bit more challenging than HTTPS Everywhere because of issues with STARTTLS,
Although many mailservers enable STARTTLS, most still do not validate certificates. Without certificate validation, an active attacker on the network can read and even modify emails sent through your supposedly “secure” connection. Since it’s not common practice to validate certificates, there’s often little incentive to present valid certificates in the first place. A brief experiment on Censys shows that about half of the mailservers that support STARTTLS use self-signed certificates.
. . .
When two mailservers support STARTTLS, their insecure connection is opportunistically upgraded to a secure one. In order to make that upgrade, the two mailservers ask each other if they support STARTTLS. Since this initial negotiation is unencrypted, network attackers can alter these messages to make it seem like neither server supports STARTTLS, causing any emails to be sent unencrypted. ISPs in the U.S. and abroad have been caught doing exactly this, and in 2014, several researchers found that encryption on outbound email from several countries were being regularly stripped.
But you have to start somewhere, and the EFF should be commended for going beyond simply issuing policy prescriptions and recommendations, and doing a lot of the heavy lifting to improve end user security.
Rainey Reitman lays out the case for why payment processors such as Stripe and Paypal need to start publishing transparency reports that detail how often law enforcement agents are requesting data from them, and how often they are giving law enforcement data about users. To be honest, before reading her article I would have assumed that payment processors were already doing this since transparency reports are such a common feature today.
Payment processors like Stripe, Paypal, Bitpay, and Coinbase are the intermediaries that allow you to support your favorite websites, send donations, and make purchases online. They’re often privy to details of your financial life, which can be deeply revealing. Your finances can say a lot about your daily habits, your political orientation, your physical location at different moments in time, your associates, and your health concerns. Given how sensitive this information is, you might assume that law enforcement agents must show probable cause to a judge and receive a search warrant before accessing financial records. But you’d be wrong. Financial data is frequently obtained through a less stringent process, such as a subpoena, a 314 (a) request, or a National Security Letter, none of which require review from a judge before being sent to the financial service provider. Furthermore, the financial industry is already heavily regulated and laws currently mandate that various financial institutions, from banks to money transmitters, must keep extensive customer records and proactively report information about large or suspicious transactions to the government. Over the last two decades, the volume of these reports has grown rapidly, now surpassing millions per year. In effect, thousands of companies have been deputized to bulk collect and report reams of private financial information to the government. . . . Tracking transparency reports year over year is vital to the public’s understand of government efforts to surveil and censor. Analysts can use these reports to learn a lot: Are requests for user data increasing in particular sectors? How many accounts are impacted, and are all those accounts bundled into just a few requests? Are payment processors resisting certain government requests, or complying with every one?
Ideally, payment processors would choose to embrace even more transparency. For example, we’d like to see a commitment to publicly report on government requests that don’t come with an official subpoena, such as when Cook County Sheriff Thomas Dart violated the First Amendment by bullying credit card companies to shut down an account. We hope that financial companies would detail their process for handling government requests and include a process for account holders to appeal those decisions. We urge payment processors to report on how many Suspicious Activity Reports they file annually and how many unique customers those reports relate to. It would also be extremely helpful for payment processors to report on requests that may originate outside of the government, and to provide aggregate numbers on how many accounts are frozen and shut down in a year that aren’t about fraud.
The Electronic Frontier Foundation has released a new guide (400kb PDF version here)for travelers about how to protect their data and rights from increasingly intrusive U.S. border searches. EFF also has a Border Search Pocket Guide (776kb PDF) designed to be printed and carried along during border crossings.
“Digital Privacy at the U.S. Border” helps everyone do a risk assessment, evaluating personal factors like immigration status, travel history, and the sensitivity of the data you are carrying. Depending on which devices come with you on your trip, your gadgets can include information like your client files for work, your political leanings and those of your friends, and even your tax return. Assessing your risk factors helps you choose a path to proactively protect yourself, which might mean leaving some devices at home, moving some information off of your devices and into the cloud, and using encryption. EFF’s guide also explains why some protections, like fingerprint locking of a phone, are less secure than other methods.
. . .
“The border is not a Constitution-free zone, but sometimes the rules are less protective of travelers and some border agents can be aggressive,” said EFF Senior Staff Attorney Adam Schwartz. “That can put unprepared travelers in a no-win dilemma at the U.S. border. We need clearer legal protections for everyone, but in the meantime, our report and pocket guides aim to put more power back into the hands of travelers.”
In an end-of-the-year summary, the Electronic Frontier Foundation noted that deployment of HTTPS grew dramatically in 2016,
By some measures, more than half of page loads in Firefox and in Chrome are now secured with HTTPS—the first time this has ever happened in the Web’s history. That’s right: for the first time ever, most pages viewed on the Web were encrypted! (As another year-in-review post will discuss, browsers are also experimenting with and rolling out stronger encryption technologies to better protect those connections.)
The EFF sites the availability of tools and services such as Let’s Encrypt that make obtaining and deploying certificates easier, as well as increasing pressure on companies to encrypt all traffic rather than just specific subsets.
The one troubling spot is that this increase isn’t necessarily distributed well geographically,
A caveat: data from Google shows that use of HTTPS varies significantly from country to country, remaining especially uncommon in Japan. We’ve also heard that it’s still uncommon across much of East and Southeast Asia. Next year, we’ll have to find ways to bridge those gaps.
I’ve used HTTPS on 99 percent of my server for years now, but there was a tiny portion that was not HTTPS because of a specific application that used its own non-Apache server that did not play well with the Wildcard SSL certificate I use. This year, finally, I was able to use Let’s Encrypt to flawlessly install a certificate just for that. The process for doing so was ridiculously easy and took about 10 minutes from beginning to end to configure and test.