Shamed By Google's Email Security Transparency Report, Comcast Is Rushing To Better Encrypt Emails

from the sunlight-to-disinfectant dept

Well, that was quick. Yesterday Google announced its new email security/encryption transparency report, which revealed that Comcast and Verizon were primary offenders, in not using TLS to encrypt emails, making them much more vulnerable to surveillance. And, in less than 24 hours, Comcast quickly said that it is rushing to roll out TLS, with a company spokesperson saying it will be out there "within a matter of weeks" and that the company is being "very aggressive about this." That's good to see. Once again, greater transparency leads to greater protection.

Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    That One Guy (profile), Jun 4th, 2014 @ 3:23pm

    Given the company, I think 'I'll believe it when I see it' is appropriate here. Companies like Comcast are infamous for promising one thing and then maybe, sometime down the line, delivering something that has a passing resemblance to what they promised.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Jun 4th, 2014 @ 4:17pm

    sow hy did it have to wait to do something? does it think that no one else would do it? does it think so little of its customers that it can risk losing some? with net neutrality almost certainly wiped off the choices, i suppose they could do what they liked

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jun 4th, 2014 @ 4:29pm

    Re:

    does it think so little of its customers that it can risk losing some


    1. yes
    2. some don't have a choice

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Josh (profile), Jun 4th, 2014 @ 4:52pm

    missing

    The company I work for, Midcontinent isn't on their list. I'm not sure what that means.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Jun 4th, 2014 @ 5:20pm

    I wish my ISP would use encryption for e-mail. I don't use it for much, but still....

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Jun 4th, 2014 @ 6:29pm

    Any security expert worth his or her salt will tell you end to end encryption clients are absolutely *worthless* on compromised hardware - THIS INCLUDES *ANY* GIVEN SMARTPHONE BY DEFAULT.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    A New Anonymous, Jun 4th, 2014 @ 7:57pm

    Re:

    End-to-end encryption protects against interception while the message is in transit. It is effective against mass recording of internet traffic content, which is trivially easy otherwise.

    Of course, if either end is compromised, the content can be revealed at that end. This requires a targeted attack against a specific individual's hardware, and is a separate problem to guard against.

    Good security comes in layers. At present, unless we are specifically targeted, most of our communications will be hugely better protected if end-to-end encryption is used.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Rekrul, Jun 4th, 2014 @ 8:50pm

    Stand-alone encryption programs like PGP have existed for years, why is it suddenly necessary than big companies now add encryption to keep us all safe?

    Oh right, out of all the computer users today, probably only 0.000000001% would know how to use them since it involves more than clicking a single button.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Jun 4th, 2014 @ 8:52pm

    "This requires a targeted attack against a specific individual's hardware, and is a separate problem to guard against."

    Not when the hardware is compromised by design, straight from the factory - it's a *default* condition.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jun 5th, 2014 @ 1:08am

    It's 2014, Comcast. Still no TLS email? The Slowskys are running circles around you for crying out loud!

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Jun 5th, 2014 @ 1:44am

    Re: Re:

    End-to-end encryption protects against interception while the message is in transit.

    With TLS that is between the user and the servers, and as Lavabit demonstrated the government will demand the keys. They will also justify that under the third party doctrine, as the servers are between the sender and the receiver and the data is given to the server company.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    DaveHowe (profile), Jun 5th, 2014 @ 3:35am

    TLS

    Problem is, TLS is largely opportunistic; in the past, when I needed to force a connection to NOT be secure, I have simply hidden the STARTTLS offer in the EHLO response (literally rewrote that packet to read STARTTTT) and the link proceeded without attempting a secure handshake.

    In cases where TLS *is* begun, actually checking the poffered certificate is the exception, not the rule - some will actually check expiry or domain name match, almost none will verify the CA chain (so a self-signed is fine) - again, this makes interception easy.

    Adding this step does help - it means that attackers need to perform an active attack replacing some or all of the traffic, rather than passively recording - but it isn't much more than a speed bump against a determined attacker with ISP router access.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jun 5th, 2014 @ 5:15am

    Re: TLS

    STARTTLS is different from TLS as you actually start the connection plain text, this is why you could force a plaintext exchange.

    If you connect directly via TLS this is not possible.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jun 5th, 2014 @ 5:24am

    Headline is wrong. TLS does not encrypt e-mail. It encrypts e-mail traffic. Big difference.

    Now if they took the time to make a 5-minute explanation on how to use PGP, *that* would be news.

    It really isn't as hard as people make it out to be. It suffers from the same problem that basic math does; people's brains just shut down whenever it is mentioned, because they *think* it's hard.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    streetlight (profile), Jun 5th, 2014 @ 6:29am

    TLS for Web mail only and/or stand alone software?

    I use Thunderbird to look at my Comcast email, not their web site email function. Will TLS apply to both or only one of these methods to get and send email?

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Bryce Giesler, Jun 5th, 2014 @ 7:56am

    Comcast to better encrypt email

    Aaaaand another Comcast price hike coming in 3..., 2...., 1....

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Jun 5th, 2014 @ 7:58am

    Does anyone really believe Verizon & Comcast et al would not simply hand over the encryption keys to NSA if asked? And I mean asked as in questioned, not as in court order.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    John Fenderson (profile), Jun 5th, 2014 @ 8:23am

    Re:

    No, but there's a lot of value to using SSL even if the NSA can still read the datastream. The NSA is far from the only entity spying out there.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    A New Anonymous, Jun 5th, 2014 @ 8:44am

    Re:

    True, but the problem is to make an encryption package available that people will use. It is hard to gain momentum because the people we communicate with have to use it as well.

    If we can't change people to fit their tools, we have to adapt the tools to fit the people.

    This probably means a one-button "encrypt my email when possible" button as part of common email software. All details of private and public keys will have to be invisible by default.

    To gain the necessary critical mass, we need to focus on getting the basic structure widely deployed. Then those willing and able to do more can work on improving security on their end.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Jun 5th, 2014 @ 1:03pm

    Re: Re:

    That's right, there is also Google (et all). Oh wait...

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    William Brown (profile), Jun 5th, 2014 @ 1:38pm

    Why competition is good and monopolies are bad.

    Competition generates better service to the client.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.