Security Concerns over Gmail in Thailand - under investigation

9 views
Skip to first unread message

Arthit Suriyawongkul

unread,
Sep 8, 2014, 10:21:26 AM9/8/14
to Thai Netizen, Thai Netizen Network

Hi all,

An Internet user in Thailand found that when using SMTP server from within Thailand, STARTTLS is not presented. Afraid that security may compromised.

https://www.facebook.com/groups/354110707939780?view=permalink&id=962116307139214

See screenshots attached :
In the first screenshot, the user explained that the upper part is connection made from Japan, and the lower part is connection made from Thailand. Notice the missing STARTTLS line, signalling probably missing encryption. (???)

There's also a rumor since a couple of days ago that Thai authority has successfully forced local ISPs to deploy sniffer AND also issuing fake SSL certificates. The rumor says full operation will starts on 15 September. -- I can't confirm any of these.

We tried to contact Google to investigate this and still waiting for response to confirm what actually happened.

The same anomaly may occurs with other non-Google services as well.

Cheers,
Arthit
Thai Netizen Network
art...@thainetizen.org

IMG_8336223256339.jpeg
IMG_8341835896441.jpeg

Danny O'Brien

unread,
Sep 15, 2014, 10:59:36 PM9/15/14
to Arthit Suriyawongkul, Thai Netizen, Thai Netizen Network
On Mon, Sep 08, 2014 at 05:21:20PM +0300, Arthit Suriyawongkul wrote:
> Hi all,
>
> An Internet user in Thailand found that when using SMTP server from within
> Thailand, STARTTLS is not presented. Afraid that security may compromised.
>

Hey everyone --

In a conversation with a reporter looking into this, he mentioned (and I
remembered from my days covering UK ISPs), that proxying port 25
universally is sometimes used by ISPs to filter outgoing spam. Note that
these outgoing spam filters could absolutely be used to spy on and
analyse emails, but we might need some more evidence that this is being
done covertly before coming to conclusions.

A couple of extra steps that a system designed primarily to eavesdrop
might have:

1) Usually port 587 is not proxied, as this port requires SMTP
authentication (the anti-spam proxy is intended to catch email being
sent without authentication). If port 587 is also being proxied then
that points to a more deliberate attempt to collect mail.

2) If you send mail via the proxy on port 25, the email received by the
destination should have a "Received:" header that shows that it was
received by an ISPs' SMTP server, then sent on to Gmail (or whereever
the email message was meant to be sent to). If there is no header, then
the ISPs are covering their tracks, and this is more of a
man-in-the-middle attack. If there is a header, we can see whether this
is all travelling via the same machine, or whether each ISP has their
own SMTP proxy.

Hope this helps!

d.


>
>
> https://www.facebook.com/groups/354110707939780?view=permalink&id=962116307139214
>
> See screenshots attached :
> In the first screenshot, the user explained that the upper part is
> connection made from Japan, and the lower part is connection made from
> Thailand. Notice the missing STARTTLS line, signalling probably missing
> encryption. (???)
>
> There's also a rumor since a couple of days ago that Thai authority has
> successfully forced local ISPs to deploy sniffer AND also issuing fake SSL
> certificates. The rumor says full operation will starts on 15 September.
> -- I can't confirm any of these.
>
> We tried to contact Google to investigate this and still waiting for
> response to confirm what actually happened.
>
> The same anomaly may occurs with other non-Google services as well.
>
> Cheers,
> Arthit
> Thai Netizen Network
> art...@thainetizen.org




--
International Director, EFF | +1 415 436 9333 x150 | 815 Eddy Street, SF, CA 94109
Reply all
Reply to author
Forward
0 new messages