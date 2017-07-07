The Pentagon Says It Will Start Encrypting Soldiers' Emails Next Year (vice.com) 24
An anonymous reader shares a Motherboard report: Basic decade-old encryption technology is finally coming to Pentagon email servers next year. For years, major online email providers such as Google and Microsoft have used encryption to protect your emails as they travel across the internet. That technology, technically known as STARTTLS, isn't a cutting edge development -- it's been around since 2002. But since that time the Pentagon never implemented it. As a Motherboard investigation revealed in 2015, the lack of encryption potentially left some soldiers' emails open to being intercepted by enemies as they travel across the internet. The US military uses its own internal service, mail.mil, which is hosted on the cloud for 4.5 million users. But now the Defense Information Systems Agency or DISA, the Pentagon's branch that oversees email, says it will finally start using STARTTLS within the year, according to a letter from DISA. DISA's promise comes months after Senator Ron Wyden (D-Oregon) said he was concerned that the agency wasn't taking advantage of "a basic, widely used, easily-enabled cybersecurity technology."
Available Encryption (Score:4, Informative)
None of this, of course, is to say that encryption of email itself has been un available. Indeed I use the credentials on my CAC (Common Access Card) to encrypt most if not all of my email before sending it.
Re: (Score:1)
Shoulda remembered I was reading a slashdot post...
MITM (Score:4, Informative)
StartTLS is no panacea, an active MITM peer can simply strip the request.
Actually, no.
- if you set to StartTLS to "required" (or if you use IMAPS), your client will only go further if a successful SSL/TLS encrypted link is established with the server.
The MITM can't just strip the request, the client will refuse to connect.
- SSL/TLS links will fail if they are not signed by a recognized authority.
The attacker needs to have a key that is signed by a trusted authority (and thus either needs to have a certificate issuer in cahoots - has actually hapenned with some cert authorities in the past - or needs to manage to get control of the e-mail server (thus can actually access without MITM. OR can steel the original private key and freely MITM. OR can generate a new key and have it at least non-EV signed and use this new key for MITM)
MITM is the main class of problems that SSL/TLS can succesfully fight (when done right).
/certificates) )
(As opposed to "privacy" class of problems, which are better handled with end-to-end encryption, like PGP / GPG (web of trust) or S/MIME (public key
Re: (Score:1)
what!!!!
Re: (Score:1)
So every single military transaction is prone to human error and or complacency. This isn't a nuanced criticism. It is in fact damning.
Re: Available Encryption (Score:1)
Cloud? What cloud? (Score:2)
"which is hosted on the cloud "
Ah, yes, "the cloud". Like there is just one. Thanks for the specifics. Does anyone know the details here; is the military really using AWS for email hosting?
How email works.... (Score:1)
...I think people have misconceptions about how exactly emails works. It's not bounced around from server to server until it gets to it's destination.
It's delivered directly to whichever server(s) your specified in your domain's mx record. So emails cannot simply be intercepted by whomever just like that.
However by default it is sent as clear text, which means in theory your Tier 3 (your ISP), tier 2 and tier 1 providers could intercept those emails since the packets have to pass through their networking eq
Um... (Score:2)
They're talking about *personal* emails, right? Surely they aren't *that* incompetent that they're sending official communications over unencrypted email? PLEASE tell me they're not that stupid...
Re: (Score:3)
DoD networking isn't quite the same as what's available to the rest of us.
"Normal" stuff goes over something called NIPRNet. It uses Internet protocols and is connected to the Internet via a few gateways, but if you are emailing from
.mil to .mil, it stays on NIPRNet. So it's a bit like emailing another employee at work - The message stays within your employer's network so it's hard(er) to MITM.
Important things go over SIPRNet, JWICS or another more secure network. Encryption in-transit over those networ
Re: (Score:1)
Yes, you should not send official communications unencrypted. But even sending personal information unencrypted may be bad. If one person emails his wife saying that he is stationed at base X then that is no big deal. But if a thousand people say that they just got stationed at base X within a short period of time then that might be bad. There is a reason why during WWII before d-day they officially put Patton in charge of an inflatable and fake army. They were trying to convince Hitler that Patton's attack
Bring back Lotus Notes! (Score:2)
Oooooohhhhhmmmmmm
ps I actually loved Notes specifically because it was so damn secure. Hard and expensive to manage, so the bean counters didn't agree with me.
Email is not being encrypted (Score:3)
Backdoor (Score:2)
Are they demanding a backdoor to be build on those too?