Yahoo Says It Will Encrypt All Data Center Data Transfers Now Too

from the thank-ed-snowden dept

If you use Yahoo, you can now thank Ed Snowden for the fact that your data is soon going to be more secure. Last week, we noted that Microsoft still wasn't encrypting traffic on the private lines between its data centers, and that Yahoo had suggested the same thing was true, given their very vague answer when asked about it all. Google, on the other hand, had been feverishly encrypting the traffic flows since the summer. Now, Yahoo's CEO Marissa Mayer has directly addressed the issue, announcing that they're working hard to encrypt all such data transfers and that they'll have the job done by the end of March in 2014. Also, perhaps equally or more importantly, they're planning to offer users the option to encrypt all the data in and out of Yahoo by that same date. Yahoo had been a bit slower than others to really recognize the importance of encryption, but it looks like they're going all in now -- which is great to see. And, if you remaining Yahoo users out there want to thank anyone, you might want to direct that appreciation towards Ed Snowden. Without him, it's quite unlikely this would be happening right now.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Nov 19th, 2013 @ 4:34am

    Why did Ladar Levinson shutter Lavabit,.. Oh that right the NSA demanded his keys under a gag order. It is up to individuals and companies to manage their own keys.

     

    reply to this | link to this | view in thread ]

  2. This comment has been flagged by the community. Click here to show it
     
    identicon
    Anonymous Coward, Nov 19th, 2013 @ 4:37am

    "Google, on the other hand, had been feverishly encrypting the traffic flows since the summer"

    1- You have no guarantees of that
    2- Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)...which, according to the Snowden leaks, they are more than happy to do.
    3- Even assuming that they are encrypting data now AND that that the NSA doesn't have the keys, uh, why only start encrypting now? This should've been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?

    This is just P.R. from Google and Yahoo.

    I don't buy it.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Nov 19th, 2013 @ 4:44am

    nothing like shutting the barn door after the horse has bolted, eh? and exactly how much resistance was put up in the first place? nowhere enough, obviously!

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Capt ICE Enforcer, Nov 19th, 2013 @ 4:47am

    Open Letter to Ed Snowden

    Sir,

    Thank you for your sacrifice in doing the right thing. I feel ashamed that our nation which I have spent over 18 years defending has subjected you to such treatment. When you are able to come back home, I would love to buy you a beer. Stay safe. And know that all history books will list you as a hero.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Nov 19th, 2013 @ 5:39am

    Re:

    "you people"

    lol - cracks me up.



    "i dont buy it"

    too funny

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Private Frazer, Nov 19th, 2013 @ 5:48am

    But can they be trusted?

    How are we to know that they are not handing over the encryption keys to NSA/GCHQ - maybe thats why it took so long for them to say anything because they had to come an arrangement with NSA/GCHQ before announcing this.
    W're a' doomed.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    OldGeezer (profile), Nov 19th, 2013 @ 6:02am

    Were these data link hacks rubber stamped by the FISA court or did the NSA just feel that since they approved nearly every thing else they did they could just do whatever they wanted? If some hacker did this the computer crimes laws would put him away for life but it's OK for the government, right?

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    silverscarcat (profile), Nov 19th, 2013 @ 6:04am

    Re:

    Yes, because surely nothing bad would happen by refusing the orders of the U.S. government when you can't put any specifics out.

    Right, Lavabit creator Ladar Levinson and Qwest? Surely they didn't suffer because they wouldn't play ball with the U.S. government, got funding pulled from their services and had to shut down.

    Surely that didn't happen.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Me, Nov 19th, 2013 @ 6:11am

    "This is just P.R. from Google and Yahoo."
    __________________________________________

    While it's true that the keys can just be handed over to the NSA, encryption plays an essential role in protecting communications and data from nefarious third parties as well, to whom google/yahoo/microsoft at least aren't turning over the keys.

    Security nihilists are the absolute worst.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    RyanNerd (profile), Nov 19th, 2013 @ 6:52am

    Running around with a tinfoil hat on

    It is my opinion that when the US stopped believing in the insane idea that RSA encryption was munitions (to prevent encryption from going overseas) the NSA had broken the encryption. Encrypt all you want -- it just means there is a delay before the NSA will have the plain text.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Nov 19th, 2013 @ 6:54am

    Does Snowden has a bitcoin wallet?

    http://money.cnn.com/2013/11/18/investing/bitcoin-china/index.html?hpt=hp_t5

    If he don't he should.

     

    reply to this | link to this | view in thread ]

  12. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Nov 19th, 2013 @ 7:03am

    Re: @ "Me" - "at least aren't turning over the keys."

    You have NO way of knowing what the mega-corporations are actually doing, how many corporations are conspiring against our privacy in the absence of anti-trust enforcement and the open fascism, and so re-inforce the AC's point which is aimed at fools who trust without any evidence at all.

    Also, from the underlines "___" as divider, you're apparently the "lots of lines" AC who was trolling me last week, and still don't know the horizontal rule tag.

    The world is being dumbed-down in ways most people are already too stupid to grasp.

    03:03:21[d-10-3] [ This is necessary to suppress the kids here from fraud of using my screen name. ]

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Nick (profile), Nov 19th, 2013 @ 7:06am

    Ugh, as if Yahoo doesn't have enough on their plate, fixing the "improvement" to their mail site that has nothing but slow-downs, glitches, and complaints from day-one. Hey, let's add in encryption to it all!

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Nov 19th, 2013 @ 7:19am

    Re: Running around with a tinfoil hat on

    The effort that NSA has gone to to get unencrypted data suggests that RSA seriously compromises their ability to read encrypted messages. If they do have a way in, it probably costs far too much computer power to deal with bulk data gathering.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Gwiz (profile), Nov 19th, 2013 @ 7:29am

    Re: Re: @ "Me" - "at least aren't turning over the keys."

    Also, from the underlines "___" as divider, you're apparently the "lots of lines" AC who was trolling me last week, and still don't know the horizontal rule tag.


    Strictly from an aesthetics point of view, Me's addition of the short line separating the quoted text from his own is visually appealing to the eye and adds to the overall ambiance of the comment. I give it a 8.5.

    Whereas your comment with the ugly long line separating your top lines of your bullshit from the bottom lines of your bullshit offends my artistic sensibilities. I give yours a 1.0. Maybe you should put a little more effort into it.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    DannyB (profile), Nov 19th, 2013 @ 8:22am

    Who?

    > If you use Yahoo, you can now thank Ed Snowden . . .

    If I use Ya Who? Who are they?

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Alt0, Nov 19th, 2013 @ 9:42am

    Re:

    1- You have no guarantees of that
    This is true, however it would be unlikely they would say that and risk being found out.

    2- Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)...which, according to the Snowden leaks, they are more than happy to do.
    It would still of course keep out non-NSA actors!
    While I do not agree with the mass data (or even smaller scale efforts being carried out currently by the NSA I seriously doubt someone there would steal my Credit Card number and buy crap online. This will at least help keep out those that would.

    3- Even assuming that they are encrypting data now AND that that the NSA doesn't have the keys, uh, why only start encrypting now? This should've been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?
    During the time Yahoo was building "from the ground up" these precautions on a closed network running between their own installations did not seem necessary. Not it seems that it is and they are doing something about it.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Mike Masnick (profile), Nov 19th, 2013 @ 9:58am

    Re:

    Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)...which, according to the Snowden leaks, they are more than happy to do.

    Can you point to where in the Snowden leaks to date it has said that any of these companies willingly hands over encryption keys? Because it's not there.

    Even assuming that they are encrypting data now AND that that the NSA doesn't have the keys, uh, why only start encrypting now? This should've been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?

    Honestly, encrypting internal network traffic is pretty extreme. I doubt you do it at home yourself. Yes, we can say that they should have done it in the first place, but there honestly was no reason to believe that content was at risk, since it was all internal and not directly connected to the internet.

    And they didn't "intentionally leave a hole." They thought, quite reasonably, that it wasn't a hole. And, when they discovered the backdoor in, they worked to shut it. That's a good thing.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Griff, Nov 19th, 2013 @ 10:07am

    Re: Lavabit

    When the FBI asked LL for his SSL keys he refused. He was told to present himself in Washington at his cost within a week. He could not find a DC licensed lawyer he could afford in time (esp since he couldn't say before retaining the lawyer what the job entailed).

    Imagine the same scenario again but with Google.
    They'd walk into court in Washington fully armed and push back big time. And I reckon the original offer (to write code to allow SPECIFIC tapping of one user) that LL made would be what the judge would settle for.

    I honestly think Google would take this legal fight to its logical conclusion, but LL was simply not equipped to do so.


    Or maybe i'm just being naive...

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    ltlw0lf (profile), Nov 19th, 2013 @ 10:38am

    Re: Re:

    Honestly, encrypting internal network traffic is pretty extreme. I doubt you do it at home yourself. Yes, we can say that they should have done it in the first place, but there honestly was no reason to believe that content was at risk, since it was all internal and not directly connected to the internet.

    Not to mention it adds considerable overhead. Keeping the back-channels unencrypted reduces the bandwidth and speeds the traffic considerably. Adding encryption to anything slows it down (though that can be managed.) For most websites using back-channel connections to databases, if encryption is turned on, they run the risk of DoS if there are a high number of queries against the database, and most will turn off the encryption, especially if using local sockets/pipes, even if someone sitting on the machine can compromise these, just to keep everything smooth.

    I'd go even further on your statement that it wasn't considered a hole...Until the NSA was found to have a backdoor in their network, anyone who would have suggested that they would encrypt all their out-of-bound/back-channel comms would likely (and quite reasonably) have been fired.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    vastrightwing, Nov 19th, 2013 @ 11:37am

    Re:

    You stole my thunder!

    Let's not forget the little problem of secret keys. Yes, what is their policy of giving the feds the keys to these new encrypted channels?

    Will they also implement a kill switch; like post:

    "We have not received a request to decrypt or otherwise remove the integrity of our encrypted channel?"

    so that if they do have to comply with a request to do so, this line of text would have to be taken down?

    I'm sorry; all the animals are out of the barn. There is no point of closing the doors now.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Nov 19th, 2013 @ 2:43pm

    Look we are cool too like Google, we're gonna encrypt everything.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    John Fenderson (profile), Nov 19th, 2013 @ 4:19pm

    Re: Re:

    encrypting internal network traffic is pretty extreme. I doubt you do it at home yourself.


    I actually do this on my home network. It's not really as bad as it might sound, and the performance hit isn't noticeable.

    Of course, I'm moving a metric hit-ton less data around than an outfit like Yahoo. The larger the scale, the more of a hit something like this causes.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    That One Guy (profile), Nov 19th, 2013 @ 4:59pm

    Re: Re:

    Let's not forget the little problem of secret keys. Yes, what is their policy of giving the feds the keys to these new encrypted channels?

    Given the NSA went through all the trouble of tapping their data center lines directly, I'd say odds are pretty poor, as that's not the actions of a group that's been given the okay by the company to spy on such traffic, but rather a group that either did ask and was denied, or doesn't even want to ask because they think they will be denied.

    I'm sorry; all the animals are out of the barn. There is no point of closing the doors now.

    I'm confused, are you arguing for or against the NSA here?

    The thinking of 'oh they've already tapped the unencrypted data, no sense in encrypting it now' plays right into the NSA's hands, whereas encrypting, even if it's broken, at least makes them work to do so, and removes their current access.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    CrazedLeper (profile), Nov 19th, 2013 @ 9:15pm

    because it will look bad if it doesn't but it will, secretly but freely, give over the encryption key(s) to the NSA.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Nov 20th, 2013 @ 12:15am

    Re: Re:

    Actaully, if all your home computers are connected to your home's WIFI access point, most probably you're encrypting it already.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    ltlw0lf (profile), Nov 20th, 2013 @ 9:25am

    Re: Re: Re:

    Actaully, if all your home computers are connected to your home's WIFI access point, most probably you're encrypting it already.

    Doubtful, especially if you aren't using 802.1x and wireless separation mode. Everyone on the network has the session key and can decrypt everyone else's traffic. Only outsiders can't decrypt the traffic (unless you are using a short key, WPS, WPA 1 or WEP, in which case, they probably can.) And it isn't going to stop the NSA, who just hires your provider to give the unencrypted traffic from the backbone or compromises your switch/router to grab the traffic which is unencrypted on the wired LAN.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This