STRIPTLS proxy is present on both True Internet and TOT ADSL connections

**baldrick** · 13-11-2014, 04:12 PM

your mail client / app sends a request to the default port on the mail server which then sends a reply and indicates it wants to accept an encrypted connection.

the ISP - true/tot - strips out the STARTTLS from the header and passes it to you

your mail client/ app then shifts to non encrypted and passes all your mail , attachments , selfies etc without encryption so they can be saved and scanned by the ISP^^^military^^^NSA

Internet users in Thailand have been hit by a massive man-in-the-middle attack aimed grabbing email login credentials from fake SMTP servers.
The attack has been verified on Google’s and Yahoo’s email servers and on two of the country’s largest fixed-line ISPs, though preliminary analysis suggest that all SMTP servers are targeted.
The STRIPTLS attack as it has become known works by inserting a man-in-the-middle at the ISPs. This is done via a transparent proxy.
Normally a client connecting to smtp.gmail.com on port 25 would be elevated to use STARTTLS encryption before authentication with username or password is passed and before the actual email message is sent.
However, accessing smtp.gmail.com from within Thailand results in a connection to a fake server that says it does not support STARTTLS encryption. If the email client proceeds any email sent is sent unencrypted through the man-in-the-middle but more importantly so are email login credentials.
The perpetrator would have a huge collection of usernames and passwords to email accounts through this attack as well as the actual messages.
Setting the email client to explicitly use TLS connecting on ports 465 or 587 is still safe and communication remains encrypted. Only clients that are set to use encryption if available connecting on the default SMTP port would fall foul of the attack.
Some mobile apps use SMTP as the underlying protocol when submitting large files or photos. The content of these submissions would also be vulnerable to this mass surveillance.
The STRIPTLS proxy is present on both True Internet and TOT ADSL connections, the two largest ISPs in Thailand. It is not present on Dtac 3G or on AIS 3G.
The source, speaking on condition of anonymity, said the attack has been live for at least couple of weeks if not much longer.
Neither Google or Yahoo responded to emails asking for comment by time of going to press.

**Necron99** · 13-11-2014, 04:18 PM

If the email client proceeds

And how many would?

**baldrick** · 13-11-2014, 04:24 PM

^ all those that have not got the option set to always encrypt connections

**Nathan Napalm** · 13-11-2014, 05:39 PM

Known about this for a long time. Manipulation has to be the purpose. Not looking for suicide bombers, looking for unfavourable (against the establishment) views. People who don't tow the line will be manipulated via the man in the loop technology to neutralise them (emotionally/physically)

**harrybarracuda** · 13-11-2014, 07:18 PM

"Setting the email client to explicitly use TLS connecting on ports 465 or 587 is still safe and communication remains encrypted. "

Do these ISPs not allow the use of these ports or something?

**slackula** · 13-11-2014, 08:00 PM

Anybody have the source of this story?

Google isn't giving me anything except circular links.

**Necron99** · 13-11-2014, 08:03 PM

I think we need an expert here.
Where's Butters?

**slackula** · 13-11-2014, 08:09 PM

Originally Posted by Necron99

I think we need an expert here.
Where's Butters?

Good thinking, he might know one.

**harrybarracuda** · 13-11-2014, 08:48 PM

Originally Posted by Necron99

I think we need an expert here.
Where's Butters?

What do you want to know? The answer is in the OP.

**baldrick** · 13-11-2014, 11:27 PM

Originally Posted by quimbian corholla

Anybody have the source of this story?

Google, Yahoo SMTP email severs hit in Thailand | Telecom Asia

ISPs Removing Their Customers' Email Encryption - Slashdot

**harrybarracuda** · 13-11-2014, 11:49 PM

"Setting the email client to explicitly use TLS connecting on ports 465 or 587 is still safe and communication remains encrypted. Only clients that are set to use encryption if available connecting on the default SMTP port would fall foul of the attack."

**slackula** · 14-11-2014, 11:48 AM

Originally Posted by baldrick

Google, Yahoo SMTP email severs hit in Thailand | Telecom Asia

ISPs Removing Their Customers' Email Encryption - Slashdot

The /. article points to an EFF article that cites the telecomasia article which is unsourced and attributed only to "Staff writer".

Seems like a bit of a non-story, and as Harry pointed out STARTTLS is available and easy to check for:

Code:

telnet smtp.gmail.com 587
Trying 74.125.200.108...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP ap5sm25512100pad.22 - gsmtp
ehlo
250-mx.google.com at your service, [110.164.246.112]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
^]
telnet> quit
Connection closed.

**baldrick** · 15-11-2014, 10:33 AM

Originally Posted by quimbian corholla

587

and port 25 ?

the point was that if you are using a client to connect via port 25 and you do not force TLS then the ISP will force your client to proceed in plain text

TRUE started using BLUECOAT software back in about 2008 which allows automated MiTM - I guess ToT has started using it also

Blue Coat Systems - Wikipedia, the free encyclopedia

**slackula** · 15-11-2014, 11:13 AM

Originally Posted by baldrick

the point was that if you are using a client to connect via port 25 and you do not force TLS then the ISP will force your client to proceed in plain text

Again, (and I am sorry because I am sure I am missing something really obvious) what is the problem/story here? Is it that plain text is the default? Your OP was about STARTTLS not TLS and 587 is the de-facto default port for STARTTLS upgraded comms. Stopping message submission (but not transfer) on 25 is a handy anti-spam tool as far as I know.

How is the situation you describe any different from what happens anyway?

Client A: Wanna TLS?
Client B: Yeah OK
*A&B whisper in corner*
A&B: OK, we're TLSing now

VERSUS

Client A: Wanna TLS?
Client B: Sorry, no can do
Client A: But I wanna TLS!
Client B: Nope, noway, nohow
Client A: OK, we'll just go ahead anyway
OR
Client A: Right, not speaking to you then

**baldrick** · 15-11-2014, 12:48 PM

The client asks to connect
The server replies with an instruction to start tls
The isp says fcuk you and removes the start tls
The client shugs and assumes encryption is not on so defaults to plain text

The point is the isp is manipulating the traffic to remove encrypted communications.

Granted it is not a massive issue for most , but it all has to start somewhere.

There is an increasing noise from the law/tla across the world saying that encrypted communications is helping the terrorists win

**Necron99** · 15-11-2014, 01:04 PM

The point is how many email programs will accept unencrypted connections?

Chrome/gmail?
Explorer?
Safari?
Outlook?

All?
Some?
One?
None?

**slackula** · 15-11-2014, 01:20 PM

OK, thanks! Now I get what the OP was about but I still don't think it is a issue at all.

ISP is only meddling with STARTTLS on #25, so anybody is free to use a different port (which is normal anyway)
Nothing is stopping anybody using PGP or something to encrypt the actual content of the email

Originally Posted by baldrick

Granted it is not a massive issue for most , but it all has to start somewhere.

There is an increasing noise from the law/tla across the world saying that encrypted communications is helping the terrorists win

That is a different kettle of fish though imho. Politicos and their tla-leo have been at that forever, I think it is still illegal under US law to sell Playstations to Iran and Cuba in case they are converted into missile guidance systems or some shit like that.

It could easily be written into the EULA of a ISP to say that some identifying information transmitted over their network might be intercepted and almost everybody would just scroll to the bottom and click "I agree" just as they do now. Look at all the Win10 "beta-testers" who happily allowed frigging Microsoft of all people to put a key logger into the product without really giving any info about what was being collected or why.

Thread: STRIPTLS proxy is present on both True Internet and TOT ADSL connections

Thread Tools

Display

STRIPTLS proxy is present on both True Internet and TOT ADSL connections

Thread Information

Users Browsing this Thread

Posting Permissions