An article about
reminded me of a problem I investigated last year when Hassath couldn't
send mail when connected through her phone's mobile hotspot.
My first response to any network problems is to run tcpdump, and I saw
the following EHLO response from my own SMTP server.
250-AUTH PLAIN CRAM-MD5
Vodafone is transparently proxying outgoing SMTP traffic and replacing
STARTTLS in the EHLO response with XXXXXXXA, so that the client doesn't
try to negotiate TLS. If you issue STARTTLS anyway—which no normal SMTP
client would, but openssl's s_client can do—the TLS negotiation fails.
So it's not just a downgrade attack, it's actively sabotaging TLS
This was the case in mid-2014, and it's still the case at the time of
writing. I wonder how many terabytes of email logs they have collected
in the meantime, how they are stored, and who is reading them.
While I was tethered to my phone, I did a bit more testing. Vodafone
India doesn't seem to mess with HTTPS connections, and IMAP connections
are not downgraded either (i.e., the server's STARTTLS advertisement is
not modified, and the TLS negotiation succeeds). Nor did it inject any