After the Edward Snowden case blown up in the US Government face, the US decided to create a task force to encrypt all that can, urging the adoption of HTTPS for all the government websites. Good idea, but there is still something missing in all this process, the email encryption.
In this specific case, the US military leaves their soldiers emails unencrypted, exposing them to possible interception by threat actors.
The principal technologist at the American Civil Liberties Union (ACLU), Chris Soghoian has been trying for years to push the adoption of encryption said something curious, “This is a pervasive problem in the government,” And in many ways it affects the parts on the government that should be more focused on security—they’re doing it worse.”
For obvious reasons the Military should be the ones given the example in terms of security, but surprisingly they aren’t alone in this, because neither Pentagon, including the Army, the Navy, the Defense Security Service, and DARPA, are using email encryption.
Inside the military only Air Force is using encryption in their emails, using STARTTLS to encrypt their e-mails.
STARTTLS is mainly a protocol that encrypts emails traveling from server mail to server mail, big companies (example Google) are using it to help in the standardization of encryption.
Even if you are encrypting your emails that doesn’t mean you are safe, because if your email provider doesn’t use STARTTLS, you are only encrypting your email from your computer to your provider, meaning that after travels across the internet in clear text (after getting out from the server of your email provider). By the way, this can be avoided with end-to-end encryption.
Let’s get some practical example to visualize what happens when your email provider doesn’t support STARTTLS:
The red line means that after getting out from your email provider server, the email is open to be read until it enter in the recipient’s email provider.
When emails provider support STARTTLS every single part of the email’s path will ensure encryption as can be seen:
I already reported that Google is using STARTTLS, what I haven’t told is that they are using it since the launch of Gmail in 2004, other companies like Microsoft Facebook, Twitter, Yahoo, only did their STARTTLS Implementation in 2014.
All this to get the key point of the article, private companies are going in the right direction, but how about the US Government? There the story is a bit different.
A spokesperson for the Defense Information Systems Agency (DISA), the Pentagon’s branch that oversees email and other technologies said their Enterprise emails doesn’t support STARTTLS.
“STARTTLS is an extension for the Post Office Protocol 3 and Internet Message Access protocols, which rely on username and password for system access,” “To remain compliant with DOD PKI policy, DEE does not support the use of username and password to grant access, and does not leverage either protocol.”
Opinions, commenting the words of the spokesperson said things like:
“an unacceptable and technically inept answer,”,
“I can’t think of a single technical reason why they wouldn’t use it,”
Now let’s again think about the US military, and for that I will be given a case scenario, a US military unit goes to Afghanistan and soldiers are sending emails, this means that the soldiers e-mail could be intercepted by a foreigner government, that is controlling the internet infrastructure in that country.
There are more agencies not using this layer of security, like the FBI, he Office of the Director of National Intelligence ( DNI), CIA, but it’s unclear why they don’t, NSA for example, is using STARTTLS.
The thing is, implementing STARTTLS its very cheap, and so , leaves me to believe that the reason why they aren’t using it may be related to other reasons that we can’t still comprehend, but one things is sure, STARTTLS should became a standard not only in the private domain, but also in the public (governments related) domain.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – US military, email encryption)