Internet Service Providers Are Violating Net Neutrality, Blocking Encryption And Putting Users At Risk

Earlier this year, VPN provider Golden Frog (creators of the VyprVPN service) debuted front and center in the debate over net neutrality. One of their customers, Colin Nederkoorn, published a video showing how switching to VyprVPN increased his network performance by a factor of 10. Full Disclosure: I've run my own tests on VyprVPN, and while I did not see the 10x improvement that Mr. Nederkoorn documented, Netflix streaming speeds to my own system became much less erratic, while throughput doubled over time.

Now, Golden Frog has filed a brief with the FCC, discussing both this incident and another, more troubling problem for security advocates -- the detection of ISPs performing man-in-the-middle attacks against their own customers. According to information cited in the briefing, one wireless provider was caught blocking the use of STARTTLS encryption.

It might seem odd that Golden Frog is taking a position on this point, since ISP blockages and "traffic management" actively help create a need for its own product. As the company notes, however, "the very same Internet access providers... can throttle or block VPNs, proxies, or encryption if the Commission imposes no effective rules." The current proposed rules before Wheeler's commission do not prohibit the blocking of encryption services, leading GF to conclude that "the Netflix throttling may be the problem of today and encryption blocking the problem of tomorrow."

Why Block Email Encryption In The First Place?

STARTTLS is used to encrypt traffic sent over SMTP -- email, in other words. Because an email from Point A to Point Z may travel through a number of unsecured routers to reach its final destination,  unencrypted email is intrinsically insecure. STARTTLS was developed to mitigate this problem -- it allows for initial cleartext communication but then requests the server switch to an encrypted mode.

What Golden Frog documented was the interception and modification of multiple requests to begin using STARTTLS into an entirely different set of commands, thereby preventing the encrypted link from ever being established. According to GF, the process bears striking resemblance to a feature inside Cisco's Adaptive Security Appliance. This particular feature can be used to limit the controls and capabilities that a client can access on a server, while suppressing return messages that would indicate certain features are not engaged.

Here's what the encryption sequence should look like:

And here's what's actually happening on this provider:

The problem of overwritten encryption is potentially far more serious than an issue of Netflix throttling, even if the latter tapped consumer discontent more readily. If ISPs are allowed to perform MitM attacks against their own customers for whatever private means they've determined, without consultation or notification of said customers, than any personal attempt to secure data, for any reason, is fundamentally compromised. This could have severe impacts on companies that rely on the Internet for transfer of trade secrets or private communication.