Cloud Hosting

One of the United States Senates most tech-savvy members is asking why much of the US militarys email still isnt protected by standard STARTTLS encryption technology.

Last month, Sen. Ron Wyden (D-Oregon) shared his concerns with DISA, the federal organization that runs mail.mil for the US army, navy, marines and the Coast Guard:

The technology industry created STARTTLS fifteen years ago to allow email servers to communicate securely and protect email messages from surveillance as they are transmitted over the internet. STARTTLS is widely supported by email server software but, critically, it is often not enabled by default, meaning email server administrators must turn it on.

Wyden noted that major tech companies including Google, Yahoo, Microsoft, Facebook, Twitter, and Apple use STARTTLS, as do the White House, Congress, NSA, CIA, FBI, Director of National Intelligence, and Department of Homeland Security but not DISA.

A 2015 Motherboard investigation originally uncovered the limited use of STARTTLS by U.S. government security agencies. Since then, Motherboard reports, many of the aforementioned agencies have started using STARTTLS but not DISA.

Wyden observed that until DISA enables STARTTLS, unclassified email messages sent between the military and other organizations will be needlessly exposed to surveillance and potentially compromised by third parties.

Even if all the military messages sent through DISAs servers are unclassified, if Wyden is correct, this might conceivably give adversaries additional insights into the US militarys structure, decision-makers, and decision-making processes.

Early reports on Wydens letter quoted DISA as saying that it would respond formally to him. DISA told Naked Security:

We are not at liberty to discuss specific tactics, techniques, and procedures by which DISA guards DOD email traffic. Email is one of the largest threat vectors in cyberspace. We can tell you that DISA protects all DOD entities with its Enterprise Email Security Gateway Solution (EEMSG) as a first line of defense for email security.

DISAs DOD Enterprise Email (DEE) utilizes the EEMSG for internet email traffic and currently rejects more than 85% of daily email traffic due to malicious behavior. DISA inspects the remaining 15% of email traffic to detect advanced, persistent cybersecurity threats. The Agency always makes deliberate risk-based decisions in the tools it uses for cybersecurity, to include email protocols for the DoD.

In the news you can use spirit, this might be a good time for a brief primer on STARTTLS. This SMTP extension aims to partially remedy a fundamental shortcoming of the original SMTP email protocol: it didnt provide a way to signal that email communication should be secured as messages hop across servers towards their destinations.

Using STARTTLS, an SMTP client can connect over a secure TLS-enabled port; the server can then advertise that a secure connection is available, and the client can request to use it.

STARTTLS isnt perfect. It can be vulnerable to downgrade attacks, where an illicit man-in-the-middle deletes a servers response that STARTTLS is available. Seeing no response, the client sends its message via an insecure connection, just as it would have if STARTTLS never existed. But, as the Internet Engineering Task Force (IETF) puts it, this opportunistic security approach offers some protection most of the time.

IETF says protocols like STARTTLS are:

not intended as a substitute for authenticated, encrypted communication when such communication is already mandated by policy (that is, by configuration or direct request of the application) or is otherwise required to access a particular resource. In essence, [they are] employed when one might otherwise settle for cleartext.

For context, Google reports that 88% of the Gmail messages it sends to other providers are now encrypted via TLS (in other words, both Google and the other provider supports TLS/STARTTLS encryption); 85% of messages inboundto Gmail are encrypted.

Would STARTTLS offer value in securing the military communications DISA manages through mail.mil? From the outside, its easy to say Yes. But it sure would be fascinating to hear the technical conversation between DISAs security experts and Senator Wydens.

Email service providers are caught on the horns of a dilemma, it seems. Naked Securitys Paul Ducklin says:

STARTTLS only deals with server-to-server encryption of the SMTP part, so it isnt a replacement for end-to-end encrypted email in environments where thats appropriate.In other words, there are situations in which you may be able to make a strong case for not needing STARTTLS. But my opinion is that its easier just to turn on STARTTLS anyway just think of all the time youll save not having to keep explaining that strong case of yours.

As for you: if you arent using STARTTLS wherever its available to you, why not?

Read the rest here:
Why isn't US military email protected by standard encryption tech? - Naked Security