Google, EFF back Cloudflare in row over pirate streams Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site. Earlier this year, a handful of Israel-based media companies took Israel.tv to court, accusing it of streaming TV and movie content it had no …
That email sanitisation service relies on email not being encrypted, which while the most common scenario, is hardly a happy state of affairs.
A better idea would be for the scanning to happen on the end user's device and then redirect (with user permission to avoid sensitive data being leaked) to the remotely hosted browser (which one hopes is itself properly hardened).
Microsoft [both Exchange Server and hosted offerings], Google, and Yahoo encrypt email by default, provided the other party supports it.
Outside of China and Russia, those three account for the vast majority of email traffic, so I would say that encrypted email is now the most common scenario.
Of course the Russian and Chinese email providers might also encrypt their email, I haven't looked into that.
Google, and Yahoo encrypt email by default, provided the other party supports it.
Sort of depends what you mean by encryption: TLS, yes. But actual encryption of the e-mail at rest, no and Exchange is easy enough to hack. S/MIME isn't much better because, apart from the technical shortcomings, admins can easily read the e-mail. And none of the big players has gone far enough to support anything like PGP, even though they're technically in a great position to do this.
Note, that in some situations in some jurisdictions, it is a legal to keep archive, and thus, unencrypted copies of e-mails. But it's possible to think up ways of how this could be done: separate keys for certain communications and an offline archive.
> Note, that in some situations in some jurisdictions, it is a legal to keep archive, and thus, unencrypted copies of e-mails. But it's possible to think up ways of how this could be done
My company does it. I forget the details but it involves stripped (PGP) keys. Users can encrypt and only they can sign, but the admin can decrypt anything encrypted to a users key. This suggests that the admin has a copy of the encryption key but not of the signing key.
OpenPGP because of the issues expounded by another poster below, plus control over the chain of trust.
As mentioned by @Ccharlie Clark, most SMTP servers support TLS, so that the data transmission is encrypted and less likely to be caught by someone sniffing the packet stream in the middle somewhere.
Encrypting the message contents, at rest(1)? Different animal entirely. I'm speaking here as both a mail admin and PKI admin, and I can tell you that configuring an entire company's worth of user accounts to use encryption is a very tall, and VERY expensive order.
First you'll need to ether A) Purchase a public signing certificate, which most certificate resellers will either want 5 digits for if they'll do it at all; OR offload your chain of trust for the domain to them and pay a per user, per year fee for it;(2) B) run your own publicly accessible CA for certificate validation and get one of the root trusts to sign off on it (not easy OR cheap); AND train your support staff, users, and probably random members of the public, vendors, and whoever else whines about how to react now that the emails are all encrypted using their very own personal certificate.
Oh yeah, and since you are the SME for implementing it, you are now the point of contact for EVERYTHING email related that breaks, even if (or especially if) it's not actually related to the encrypted email chains.
Good luck!
(1) Defining "at rest" here as sitting in an outbound, transitory, or inbound mail spool/datastore/mailbox.
(2) [RedactedCo] has in excess of a thousand users; $20 /user, per year; that's a lot of money for something that'll likely rarely get used unless it's forced on, which causes even more headaches on the receiving side.
-> Its lawyers noted in court filings [PDF] that data just passes through Cloudflare's networks on its way to and from websites and visitors, and it doesn't engage in editing or removing content.
That is exactly the argument the US regime often uses for money laundering. If data about money passes through a US owned or operated network at all, even for a. millisecond, then they claim jurisdiction. The fact that those networks did nothing but pass it on is considered irrelevant.
-> [huge long list of every kind of service provider removed for clarity]
I wonder if this is some kind of cookie cutter, pro forma so-called judgement. Copy and paste this long list from some handy grab bag of judicial goodies.
In the US Cloudflare should be in the clear by claiming Safe Harbour, which was designed for something else but should easily cover this. The only aspect they're vulnerable on is failing to act on a cease and desist case if they've been instructed not to provide services for insert-name-here, but that would be contempt anyway.
DMCA was almost specifically designed to protect US copyright without penalising US video service providers, like YouTube. Non-US copyright holders have much reduced rights and non-US service providers find it harder to claim Safe Harbour. This is standard US trade policy via extra-territorial enforcement.
> any other service provider which has provided services or in the future provides services to defendants
This instantly renders the order null and void in the United States as it forbids the defendant from seeking the services of or retaining legal representation.
Because thats 100% unconstitutional, none of the remainder of the order is legally enforceable.
PLUS the site owners can sue for violating their constitutional rights
Cloudflare acts like they're just an innocent pipeline/proxy/whatever when they actually have customers subscribing to a specific services. It's not their job to monitor their customers but it is their job to respond when they have been notified of customers using services for crime. I'd personally like to see Cloudflare get in a lot more trouble.
Reg - before you delete this, have you looked at the fake Louis Vuitton store links I emailed? You asked for evidence in another story comment thread.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
