Frontier curious

Topic

New Reply

Got this email today and am curious,started with Frontier 4 or 5 months ago and I use Thunderbird with same antivirus and firewalls I have always used. Is there a problem, I hate scare emails/warnings etc.

Frontier is committed to protecting your personal data online. As part of that commitment, we strongly recommend that you upgrade your email security settings to protect your privacy and confidentiality. There’s no cost, and it is a quick change in your email application settings that will encrypt your emails for an increased layer of security. If you choose not to make this change, your email could be intercepted and read by a third party.

This only impacts users of email applications such as Microsoft Outlook, Mac Mail, Thunderbird or Windows Live Mail. If you use our Webmail service (on your internet browser) you do not need to make any changes.

Instructions on how to make this change can be found by clicking on the link below and choosing your applicable email application. You can find additional ‘frequently asked questions’ at the bottom of the email.

http://www.frontierhelp.com/faqcategories.cfm?mcatid=57

We encourage you to make this change right away – it takes no more than 2 minutes and will significantly improve the security and privacy of your personal data and communications.

Reply | Quote

Replies

It’s a very common request by most ISPs for better email security; just do it.

Bruce

Reply | Quote

Many email providers are changing to secure communications only. If you are concerned about the validity of the email go to the Frontier web site manually (i.e. type in the web site name don’t click the link).

Joe

--Joe

Reply | Quote

You could also call Frontier’s tech support line and ask them.

Emails of this nature which come from your ISP are legitimate; the bogus ones are the ones which come from people you don’t know.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Emails of this nature which come from your ISP are legitimate; the bogus ones are the ones which come from people you don’t know

Many of the malware emails spoof the ISP’s address in the from box. Many times you can tell an link is fake by hovering the mouse over the link and look at the bottom of the page where the real URL is displayed. It’s always safest to type the URL manually as Joe suggested and never click on links within an Email.

Jerry

Reply | Quote

Thank you all, I believe a call to Frontier will help me with new security changes. I don’t mind being tad paranoid when it comes to changes.

Reply | Quote

Many of the malware emails spoof the ISP’s address in the from box. Many times you can tell an link is fake by hovering the mouse over the link and look at the bottom of the page where the real URL is displayed. It’s always safest to type the URL manually as Joe suggested and never click on links within an Email.

Jerry

Good point.

Also, when YOU initiate the contact (such as manually typing the URL, or looking up their phone number and then calling them), you can know that you are getting to the right place.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

“Frontier is committed to protecting your personal data online. As part of that commitment, we strongly recommend that you upgrade your email security settings to protect your privacy and confidentiality. “
SSL only protects your data while in transit from you to Frontier by encrypting the data stream. It does not encrypt or protect your email while passing through the many servers it may pass through before reaching its destination. It doesn’t protect it from prying eyes sitting on the recipient’s mail server. SSL protects the data while travelling between you and Frontier. If you want the content of an email protected encrypt an attached document and give the key to the recipient separately.

Reply | Quote

SSL only protects your data while in transit from you to Frontier by encrypting the data stream.

Correct.

It does not encrypt or protect your email while passing through the many servers it may pass through before reaching its destination.
It doesn’t need to, it’s already encrypted.

It doesn’t protect it from prying eyes sitting on the recipient’s mail server.
The email was sent to the recipient’s server!

Reply | Quote

The message is similar to when Yahoo Mail FINALLY got with the program and started using a secure (padlock in the URL) SSL connection. Actually, this connection is far more secure than ordinary SSL, and it uses different security protocols, but the take-away message is that Frontier is forcing users to use secure connections, not forcing pre-encryption of emails.

Pre-encryption means that the messages themselves are encrypted and can only be viewed if the recipient has a Public Key. Encrypted email refers to a secure channel through which messages which themselves are not pre-encrypted, can be transmitted with minimal risk of being intercepted and read between their origin and their destination.

Here‘s what my email provider, Fastmail, says about email encryption and security.

Having read further, I am not sure I have used the term SSL correctly here. Read my later post in response to BruceR, and follow the link the How Stuff Works for a much better treatment of web site security.

-- rc primak

Reply | Quote

Actually, this connection is far more secure than ordinary SSL, and it uses different security protocols,

What is this extraordinary SSL connection you’re describing which is far more secure and what different security protocols does it use?

Bruce

Reply | Quote

Does anyone know how to get an email service that Frontier can NOT scan? It would perhaps be a service where incoming mail would go to an intermediate and the whole email including pictures, addresses etc would be encrypted and then sent to my ISP and when in Thunderbird I opened the email it would be un-encrypted??!!

The reverse would happen on outgoing in that Thunderbird would encrypt the whole thing, send the mail to an intermediate, un-encrypt and send to the recipient(s).

And that would be great if everything coming in or out would cause Frontier (and other intruders) to see only an encrypted text. http://windowssecrets.com/forums/images/icons/icon8.png

Reply | Quote

Does anyone know how to get an email service that Frontier can NOT scan? It would perhaps be a service where incoming mail would go to an intermediate and the whole email including pictures, addresses etc would be encrypted and then sent to my ISP and when in Thunderbird I opened the email it would be un-encrypted??!!

The reverse would happen on outgoing in that Thunderbird would encrypt the whole thing, send the mail to an intermediate, un-encrypt and send to the recipient(s).

And that would be great if everything coming in or out would cause Frontier (and other intruders) to see only an encrypted text. http://windowssecrets.com/forums/images/icons/icon8.png

If Frontier is your ISP, and if you use the email service that they provide, then I’m not sure how you can avoid them scanning it.

If you go with a non-Frontier email service, then I am quite sure that you will have stopped Frontier from scanning your email.

If you are concerned about someone scanning your email, then get your own domain and go with a reputable, paid email service, that is, one which makes its money from your subscription fees. If you go with a free email service, then they will in all likelihood scan your email and make money by selling the information. Also from advertisements which you see.

None of this stuff is free; you either pay with your money or your information. (or both)

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Does anyone know how to get an email service that Frontier can NOT scan? It would perhaps be a service where incoming mail would go to an intermediate and the whole email including pictures, addresses etc would be encrypted and then sent to my ISP and when in Thunderbird I opened the email it would be un-encrypted??!!

The reverse would happen on outgoing in that Thunderbird would encrypt the whole thing, send the mail to an intermediate, un-encrypt and send to the recipient(s).

And that would be great if everything coming in or out would cause Frontier (and other intruders) to see only an encrypted text. http://windowssecrets.com/forums/images/icons/icon8.png

“If you need secure end-to-end communication, email is probably the wrong way to do it.”
http://www.extremetech.com/extreme/163698-encrypted-email-isnt-secure-but-if-you-must-use-it-here-are-some-lavabit-alternatives

As I posted before, Yahoo does not permit encrypted messages, contrary to what is implied in the ExtremeTech article. I don’t know about GMail, but I suspect similar restrictions may exist in their Terms of Service.

Two services reviewed in the article, Countermail and Neomailbox, have their own issues, and may not be totally private or secure.

Fastmail which is based in Australia, no longer has free accounts. But they insist they do not scan email coming or going. They are one of only a very few services I know of which make this promise.

TOR Mail used to be like the service model you describe, but it and several others like it got shut down by FBI legal actions. Or they shut themselves down when they discovered they were under US court orders to divulge subscribers’ info or their email contents.

No one escapes spying like NSA and the FBI have been doing, so if you’re sending or receiving inside the USA, forget about email privacy.

-- rc primak

Reply | Quote

What is this extraordinary SSL connection you’re describing which is far more secure and what different security protocols does it use?

Bruce

I would be very interested to hear about this as well.

My email provider (not my ISP I may add) uses SSL/TLS for security as default.

A little bit of digging suggests to me that it is STARTTLS Bob is referring to which converts a plain text connection to one using SSL/TLS.

For me that security is already in place without using STARTTLS as I am sure it is for many others.

Going back to the OP with his question, yes, you should apply those changes.

Reply | Quote

What is this extraordinary SSL connection you’re describing which is far more secure and what different security protocols does it use?

Bruce

What I said about SSL being not the only security in a HTTPS session may not have been entirely accurate.

HTTPS and SSL are only two of the security measures used in secure web site connections. Web sites can use additional means to protect secure logins and other interactions. TLS is an updated version of SSL, and this is the better security I was originally referring to. But as the GNU-TLS Bug illustrates, even TLS is not perfect.

Web site security usually has several components, each one of which can be made more or less secure. In the Linux case, the affected component (GNU-TLS) was patched, making the overall security setup more secure.

With the Linux GNU-TLS Bug, the issue with TLS not being secure is mitigated by the fact that GNU-TLS does not stand alone in most secure web connections. One important measure taken was to issue a security update for GNU-TLS.

OpenSSL is used much more commonly than GNU-TLS, so most secure web connections were not affected by this bug. The hype surrounding this bug does illustrate how many tech writers don’t understand the different web security protocols any beter than I eveidently do. Hence some of my own confusion. More on the Linux bug here.

I probably did not fully understand what these [protocols are all about when I posted above, and I confess I still am a bit unclear on thie subject.

This article gives a lot more information on the entire subject of web security than I can include in a post, so anyone seeking the whole story probably will do a lot better reading this than reading my attempts to reduce the subject to short forum posts.

This article gives a further disctinction of SSL and TLS, and the various security aspects of each.

-- rc primak

Reply | Quote

HTTPS and SSL are only two of the security measures used in secure web site connections.

Only one security measure there really, since HTTPS is just HTTP on top of SSL.

Web sites can use additional means to protect secure logins and other interactions.

Like what?

With the Linux GNU-TLS Bug, the issue with TLS not being secure is mitigated by the fact that GNU-TLS does not stand alone in most secure web connections.

What else stands with it? (OpenSSL is an alternative.)

Bruce

Reply | Quote

Only one security measure there really, since HTTPS is just HTTP on top of SSL.

Like what?

What else stands with it? (OpenSSL is an alternative.)

Bruce

EV Certificates, client-side certificates (rare), and certificate/public key pinning are possibilities. Chromium based browsers utilize certificate/public key pinning on some websites.

Reply | Quote

EV Certificates, client-side certificates (rare), and certificate/public key pinning are possibilities. Chromium based browsers utilize certificate/public key pinning on some websites.

But each of those certificate enhancements to improve identity verification of the two end-points still relies on SSL to protect all data transmission between the two, including passwords, right? (The original comment was about additional means to protect secure logins.)

Bruce

Reply | Quote

EV Certificates tend to be more of a warning flag, but pinning, at least from the point of view of OWASP, came about as an additional means to secure the channel due to the failure of SSL and TSL to provide proper security under certain types of attacks.

Reply | Quote

EV Certificates tend to be more of a warning flag, but pinning, at least from the point of view of OWASP, came about as an additional means to secure the channel due to the failure of SSL and TSL to provide proper security under certain types of attacks.

Isn’t certificate pinning something which is implemented in the client/browser for “outgoing” connections, rather than something which web sites can implement for all “incoming” connections? (The original comment was about extra steps available to web sites to secure logins beyond SSL.)

Bruce

Reply | Quote

I have seen the same announcement from Frontier. I think that it is a sheep in wolfs clothing!

There’s been a couple of times over the years when I’ve noticed that adverts would pop up after I discussed some item. I tested this by sending an email with just 5 words in it and I began getting ads on ALL 5! I complained to Frontier and for a while the ads stopped. But certainly Frontier was scanning email and web surfing.

I later began seeing ads again, probably years later. I switched to Thunderbird and I saw a decrease in ads.

Then I got from Frontier a new Terms of Service and it was very open about what they scan. I haven’t gone back to web based email to see what’s happening there. And the latest notice from Frontier heightens the alarm.

I’m paying for Frontier as an ISP and they shouldn’t be bugging the hand that feeds them!

Reply | Quote

Let’s just let the two articles I referenced in my earlier post speak for themselves.

-- rc primak

Reply | Quote

Let’s just let the two articles I referenced i my earlier post speak for themselves.

I can’t find any reference in either of those articles to your mystery ingredient X for secure web connections.

Bruce

Reply | Quote

I can’t find any reference in either of those articles to your mystery ingredient X for secure web connections.

Bruce

I’m guessing SSL is a much broader term than I had originally thought.

-- rc primak

Reply | Quote

Yes, pinning is usually going to come from the browser. Sorry, I thought this thread was about the whole pipeline, not just the website. So, looking back at post #9, where this subject appears to have originated (“connection is far more secure than ordinary SSL, and it uses different security protocols”), my guess would be that what Yahoo is referring to is probably an Extended Validation SSL Certificate. This SSL certificate came out of The Certification Authority Browser Forum (https://cabforum.org) a couple years ago and has security enhancements not available with a standard SSL certificate. Although EV is more secure than ordinary SSL, whether it’s “far more secure,” or not, is debatable.

Reply | Quote

The OP wasn’t really asking about security details.

What was asked about is what Frontier might be asking for and why, when they said to upgrade the email client’s security settings.

This usually refers to requiring SSL or STARTTLS in the Account Profile. (I’m using the Thinderbird term for Account Settings.)

It’s done in order to enable a secure connection, which in light of the recent Heartbleed revelations, has until recently not been all that secure after all. But that issue aside, it’s always reassuring to see in a browser the Padlock, and to have a similar secure connection in an email client.

I think anything more technical is a bit of overkill here.

-- rc primak

Reply | Quote

The OP wasn’t really asking about security details.

…

I think anything more technical is a bit of overkill here.

It was your oblique references to other security measures and different security protocols which caused us to go off tangent.

Bruce

Reply | Quote

It was your oblique references to other security measures and different security protocols which caused us to go off tangent.

Bruce

For which I apologize.

-- rc primak

Reply | Quote