Shamed By Google's Email Security Transparency Report, Comcast Is Rushing To Better Encrypt Emails

from the sunlight-to-disinfectant dept

Well, that was quick. Yesterday Google announced its new email security/encryption transparency report, which revealed that Comcast and Verizon were primary offenders, in not using TLS to encrypt emails, making them much more vulnerable to surveillance. And, in less than 24 hours, Comcast quickly said that it is rushing to roll out TLS, with a company spokesperson saying it will be out there “within a matter of weeks” and that the company is being “very aggressive about this.” That’s good to see. Once again, greater transparency leads to greater protection.

Filed Under: , ,
Companies: comcast, google

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Shamed By Google's Email Security Transparency Report, Comcast Is Rushing To Better Encrypt Emails”

Subscribe: RSS Leave a comment
A New Anonymous says:

Re: Re:

End-to-end encryption protects against interception while the message is in transit. It is effective against mass recording of internet traffic content, which is trivially easy otherwise.

Of course, if either end is compromised, the content can be revealed at that end. This requires a targeted attack against a specific individual’s hardware, and is a separate problem to guard against.

Good security comes in layers. At present, unless we are specifically targeted, most of our communications will be hugely better protected if end-to-end encryption is used.

Anonymous Coward says:

Re: Re: Re:

End-to-end encryption protects against interception while the message is in transit.

With TLS that is between the user and the servers, and as Lavabit demonstrated the government will demand the keys. They will also justify that under the third party doctrine, as the servers are between the sender and the receiver and the data is given to the server company.

DaveHowe (profile) says:


Problem is, TLS is largely opportunistic; in the past, when I needed to force a connection to NOT be secure, I have simply hidden the STARTTLS offer in the EHLO response (literally rewrote that packet to read STARTTTT) and the link proceeded without attempting a secure handshake.

In cases where TLS *is* begun, actually checking the poffered certificate is the exception, not the rule – some will actually check expiry or domain name match, almost none will verify the CA chain (so a self-signed is fine) – again, this makes interception easy.

Adding this step does help – it means that attackers need to perform an active attack replacing some or all of the traffic, rather than passively recording – but it isn’t much more than a speed bump against a determined attacker with ISP router access.

Anonymous Coward says:

Headline is wrong. TLS does not encrypt e-mail. It encrypts e-mail traffic. Big difference.

Now if they took the time to make a 5-minute explanation on how to use PGP, *that* would be news.

It really isn’t as hard as people make it out to be. It suffers from the same problem that basic math does; people’s brains just shut down whenever it is mentioned, because they *think* it’s hard.

A New Anonymous says:

Re: Re:

True, but the problem is to make an encryption package available that people will use. It is hard to gain momentum because the people we communicate with have to use it as well.

If we can’t change people to fit their tools, we have to adapt the tools to fit the people.

This probably means a one-button “encrypt my email when possible” button as part of common email software. All details of private and public keys will have to be invisible by default.

To gain the necessary critical mass, we need to focus on getting the basic structure widely deployed. Then those willing and able to do more can work on improving security on their end.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...