At Least One ISP Trying to Prevent Customers from Using Encrypted Communications

Once again the centralized nature of today’s Internet is biting us in the ass. In addition to Internet Service Providers (ISP) already throttling traffic we now have one wireless provider actively preventing its customers from using STARTTLS:

But the second example Golden Frog provides is much scarier and much more pernicious, and it has received almost no attention.

In the second instance, Golden Frog shows that a wireless broadband Internet access provider is interfering with its users’ ability to encrypt their SMTP email traffic. This broadband provider is overwriting the content of users’ communications and actively blocking STARTTLS encryption. This is a man-in-the-middle attack that prevents customers from using the applications of their choosing and directly prevents users from protecting their privacy.


This is scary. If ISPs are actively trying to block the use of encryption, it shows how they might seek to block the use of VPNs and other important security protection measures, leaving all of us less safe. Golden Frog provides more details of what’s happening in this case:

Golden Frog performed tests using one mobile wireless company’s data service, by manually typing the SMTP commands and requests, and monitoring the responses from the email server in issue. It appears that this particular mobile wireless provider is intercepting the server’s banner message and modifying it in-transit from something like “220 [servername] ESMTP Postfix” to “200 ********************.” The mobile wireless provider is further modifying the server’s response to a client command that lists the extended features supported by the server. The mobile wireless provider modifies the server’s “250-STARTTLS” response (which informs the client of the server’s capacity to enable encryption). The Internet access provider changes it to “250-XXXXXXXA.” Since the client does not receive the proper acknowledgement that STARTTLS is supported by the server, it does not attempt to turn on encryption. If the client nonetheless attempts to use the STARTTLS command, the mobile wireless provider intercepts the client’s commands to the server and changes it too. When it detects the STARTTLS command being sent from the client to the server, the mobile wireless provider modifies the command to “XXXXXXXX.” The server does not understand this command and therefore sends an error message to the client.

As Golden Frog points out, this is “conceptually similar” to the way in which Comcast was throttling BitTorrent back in 2007 via packet reset headers, which kicked off much of the last round of net neutrality concerns. The differences here are that this isn’t about blocking BitTorrent, but encryption, and it’s a mobile internet access provider, rather than a wired one. This last point is important, since even the last net neutrality rules did not apply to wireless broadband, and the FCC is still debating if it should apply any new rules to wireless.

The article is arguing from a net neutrality angle but I see this as a technical issue. This is only made possible because Internet access is centrally controlled and end-to-end encryption wasn’t in the original design. Decentralizing Internet access would be a major win because it would prevent any single organization from weakening Internet security by blocking encrypted traffic. And if end-to-end encryption was in the originally design (which, I understand, was not technically feasible at the time) this wouldn’t be possible because blocking encrypted communications would block any communications.

Net neutrality will not save us. After all the government, especially the National Security Agency (NSA), probably has a literal hard-on for this idea. Again I reiterate that the only way to save the Internet is to wrestle control over it away from the state and its corporate partners that are providing our Internet access. I will again point out that mesh networks are a pretty neat idea for accomplishing exactly this. Instead of howling for the government to step in and save us from itself I believe we should be investing our energies in trying to decentralize Internet access as much as possible.