NHS email encryption
Dave Howe
ukcrypto at chiark.greenend.org.uk
Sat, 25 Aug 2007 11:27:01 +0100
Roland Perry wrote:
> In article <46CEE726.5000806@defoam.net>, "Dr Adrian Midgley (In the
> office)" <amidgley2@defoam.net> writes
>> Any patient identifiable information sent from an ordinary email
>> account (eg ekcpct.nhs.uk or gp-g80000.nhs.uk) is not fully encrypted
>> and therefore open to interception and would constitute sending
>> details outside the EEA.
>
> Hold on, are they saying that the server that does nhs.uk emails is
> located outside the EEA?!?
>
> mail.nhs.uk is allegedly 212.137.44.179, which is somewhere in cw.net;
> Sheffield according to one geolocation tool, Manchester another, London
> a third (did anyone say geolocation was an inexact science?)
I *do* know the nhs.net official mailservers have been causing us
problems - they assert their wilingness/ability to do opportunistic
crypto in their EHLO replies, but then drop the connection if you
attempt to do a STARTTLS from outside of the nhs.... This is apparently
a deliberate security misfeature, no idea how or why they would
implement that.