08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Prism-Proof Cloud Email Services
1. PRISM Proof Cloud Email Services
Introduction
Cloud email services use SSL certificates to encrypt the conversation between your browser
and the HTTP server, this encrypted traffic is called HTTPS. Most HTTPS certificates allow for a
master key to decrypt the encrypted traffic, however this is not true for certificates which use a
temporary session key which is individual for each user. This is known as SSL ephemeral mode.
This article is a survey of free cloud email services. It lists services by their affiliation with the
NSA, their support for HTTPS, their support for SSL ephemeral mode, and the physical location
of their servers. By carefully choosing a cloud email service, users can be confident that their
traffic is not entering the network of the United States. Additionally if their traffic did enter the
United States, the SSL certificate of the cloud service they select supports ephemeral mode
which prevents the NSA from gaining a master key to decrypt network traffic.
Lists of free cloud email services
http://ubuntuforums.org/showthread.php?t=2125732
http://email.about.com/od/freeemailreviews/tp/free_email.htm
http://capturedbloggingtips.com/2013/03/6bestalternativestogmail/
5. URL redirects and CrossDomainSingleSignOn (CDSSO):
In some cases you may log into a domain such as gmx.co.uk by entering your credendials but
you will be redirected to gmx.fr. If the cookie is sent to your browser from the co.uk domain and
the fr domain requests the cookie from the first domain then your browser will block the second
domain from reading the cookies as it violates the crossdomain policy. By using
CrossDomainSingleSignOn web applications are able to authenticate across several
domains allowing the user to log in only once. For the purposes of knowing where your data is
being stored in the cloud, the best guess you can make is to assume it is coming from the final
domain you have been redirected to.
Email ports
The POP3 port for inbound emails is 110 or port 995 if you want to use secured POP3. The
IMAP port for inbound emails is 143 or port 993 if you want to use secured IMAP. The SMTP port
for outbound emails is 25/2525/587 or 465 if you want to use secured SMTP. If your cloud mail
server allows connections over nonsecure ports and your traffic is crossing american
cyberspace then emails received on ports 110, 143, 24 and 2525 can be captured by the NSA as
the traffic is not encrypted between one mailserver and other (Alice > [https] > gmail.com >
[plaintext] > gmx.co.uk > [https] > Bob). An interesting project would be to survey how different
mail servers interact when exchanging mail documents, do they always attempt to use SSL and
downgrade if it is not available or do they have to be forced to use it? If mail servers use SSL by
default when available then the communication would be secure between the web interfaces and
also between the mail servers (Alice > [https] > gmail.com > [ciphertext] > gmx.co.uk >
[https] > Bob).
Compare the certificate types of https/pop3/imap/smtp using the following bash shell script:
#!/bin/bash
list="www.gmx.co.uk:443
pop.gmx.co.uk:995
imap.gmx.co.uk:993
smtp.gmx.co.uk:465
www.zoho.com:443
pop.zoho.com:995
imap.zoho.com:993
smtp.zoho.com:465
www.mail.com:443
pop.mail.com:995
imap.mail.com:993
smtp.mail.com:465
www.shortmail.com:443
imap.shortmail.com:993
smtp.shortmail.com:465
www.lavabit.com:443
9. for i in $imap;
do
echo e "n$i:"
nmap T5 p 143,993 $i | egrep "imap$|imaps$"
done
for i in $smtp;
do
echo e "n$i:"
nmap T5 p 25,2525,587,465 $i | egrep "smtp$|smtp$"
done
Final note
Ensure your browser is using the “HTTPS everywhere” extension when browsing these
domains. If you bookmark a cloud email service, be sure that you are using the absolute ip
address of the server to lock its geographic location. So for example, bookmarking
www.gmx.com which could bring you to the servers in the USA or Germany, instead bookmark
https://213.165.64.202/ which is the German ip address as opposed to bookmarking
https://74.208.5.85 which is the ip address for the US server. A useful extension for geolocation
of servers is “Flagfox” which attempts to perform geolocation of the server currently delivering
the content for the web page.
Conclusion
It should be noted that no single cloud service provides SSL certificates in Ephemeral mode for
all their services (HTTPS/POP/IMAP). Additionally out of the 20 service surveyed that provide
HTTPS there are only 3 that are not based in the United States. It was possible to shortlist the
top 3 services to bronze, silver and gold based on the results of this brief survey.
Winners:
#1 ojooo.com (DHE_RSA on https/pop3/imap/smtp, and they’re base in Germany)
#2 contactoffice.com (DHE_RSA on https/pop3/imap, and theyre based in France)
#3 inbox.com (DHE_RSA on pop3/imap/smtp)
Worst security award:
#1 rediffmail.com (no security implemented on any protocol)
10. Normally if the traffic happens to pass through american telecommunications networks the NSA
will tap into the fibreoptic systems in the network backbone of the country and record all the
traffic in their Utah data centre and will keep it for up to 5 years in cold storage on hard drives
before discarding it. An famous case of the NSA tapping major network backbone is the
fibreoptic tap in “Room 641A” when the NSA split the fibre optic communications cable in AT&T’s
communications station.
By choosing a mail service that uses a different encryption key for every network
11. communication, your traffic will be secured against the NSA from taking your traffic out of
coldstorage and decrypting it using the compromised master keys used to generate the SSL
certificates. These master keys are normally compromised by the NSA simply walking into a
corporation and demanding the keys from the owners. However this is not possible with SSL
certificates that are operating in Ephemeral mode as a different key is used for every connection
and is then discarded immediately. However this technique will not prevent the NSA or other
surveillance organization from demanding physical access to the companies servers and simply
copying the data off their hard drives.
Future work
An interesting project would be to survey how mail servers interact to exchange messages when
a secure communications channel is available. Does Postfix mailserver attempt to use SSL
before downgrading to a plaintext alternative. Does Microsoft Exchange server attempt to use
SSL before downgrading to a plaintext alternative?
Sources:
1. PRISM Accomplices
https://upload.wikimedia.org/wikipedia/commons/c/c7/Prism_slide_5.jpg
2. PRISM Network Graph
https://upload.wikimedia.org/wikipedia/commons/0/01/Prism_slide_2.jpg
3. Explanation of Ephemeral DiffieHellman key exchange
http://blogs.computerworld.com/encryption/22366/cannsaseethroughencryptedwebp
agesmaybeso
4. DH vs. DHE and ECDHE and perfect forward secrecy
http://stackoverflow.com/questions/14034508/dhvsdheandecdheandperfectforward
secrecy
5. Geographic ip mapping tool http://www.geoiptool.com/en/
6. HTTPS Everywhere https://www.eff.org/httpseverywhere
7. Flagfox https://addons.mozilla.org/enus/firefox/addon/flagfox/
8. NSA Utah Data Centre Yottabyte Storage Capacity
http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1
Last edited: Tuesday, July 16, 2013 at 1:35:15 PM IST
Contact hughpearse@gmx.co.uk