Yahoo Says It Will Encrypt All Data Center Data Transfers Now Too

from the thank-ed-snowden dept

If you use Yahoo, you can now thank Ed Snowden for the fact that your data is soon going to be more secure. Last week, we noted that Microsoft still wasn’t encrypting traffic on the private lines between its data centers, and that Yahoo had suggested the same thing was true, given their very vague answer when asked about it all. Google, on the other hand, had been feverishly encrypting the traffic flows since the summer. Now, Yahoo’s CEO Marissa Mayer has directly addressed the issue, announcing that they’re working hard to encrypt all such data transfers and that they’ll have the job done by the end of March in 2014. Also, perhaps equally or more importantly, they’re planning to offer users the option to encrypt all the data in and out of Yahoo by that same date. Yahoo had been a bit slower than others to really recognize the importance of encryption, but it looks like they’re going all in now — which is great to see. And, if you remaining Yahoo users out there want to thank anyone, you might want to direct that appreciation towards Ed Snowden. Without him, it’s quite unlikely this would be happening right now.

Filed Under: , , ,
Companies: yahoo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Yahoo Says It Will Encrypt All Data Center Data Transfers Now Too”

Subscribe: RSS Leave a comment
27 Comments
Griff says:

Re: Lavabit

When the FBI asked LL for his SSL keys he refused. He was told to present himself in Washington at his cost within a week. He could not find a DC licensed lawyer he could afford in time (esp since he couldn’t say before retaining the lawyer what the job entailed).

Imagine the same scenario again but with Google.
They’d walk into court in Washington fully armed and push back big time. And I reckon the original offer (to write code to allow SPECIFIC tapping of one user) that LL made would be what the judge would settle for.

I honestly think Google would take this legal fight to its logical conclusion, but LL was simply not equipped to do so.

Or maybe i’m just being naive…

Anonymous Coward says:

“Google, on the other hand, had been feverishly encrypting the traffic flows since the summer”

1- You have no guarantees of that
2- Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)…which, according to the Snowden leaks, they are more than happy to do.
3- Even assuming that they are encrypting data now AND that that the NSA doesn’t have the keys, uh, why only start encrypting now? This should’ve been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?

This is just P.R. from Google and Yahoo.

I don’t buy it.

Alt0 says:

Re: Re:

1- You have no guarantees of that
This is true, however it would be unlikely they would say that and risk being found out.

2- Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)…which, according to the Snowden leaks, they are more than happy to do.
It would still of course keep out non-NSA actors!
While I do not agree with the mass data (or even smaller scale efforts being carried out currently by the NSA I seriously doubt someone there would steal my Credit Card number and buy crap online. This will at least help keep out those that would.

3- Even assuming that they are encrypting data now AND that that the NSA doesn’t have the keys, uh, why only start encrypting now? This should’ve been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?
During the time Yahoo was building “from the ground up” these precautions on a closed network running between their own installations did not seem necessary. Not it seems that it is and they are doing something about it.

Mike Masnick (profile) says:

Re: Re:

Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)…which, according to the Snowden leaks, they are more than happy to do.

Can you point to where in the Snowden leaks to date it has said that any of these companies willingly hands over encryption keys? Because it’s not there.

Even assuming that they are encrypting data now AND that that the NSA doesn’t have the keys, uh, why only start encrypting now? This should’ve been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?

Honestly, encrypting internal network traffic is pretty extreme. I doubt you do it at home yourself. Yes, we can say that they should have done it in the first place, but there honestly was no reason to believe that content was at risk, since it was all internal and not directly connected to the internet.

And they didn’t “intentionally leave a hole.” They thought, quite reasonably, that it wasn’t a hole. And, when they discovered the backdoor in, they worked to shut it. That’s a good thing.

ltlw0lf (profile) says:

Re: Re: Re:

Honestly, encrypting internal network traffic is pretty extreme. I doubt you do it at home yourself. Yes, we can say that they should have done it in the first place, but there honestly was no reason to believe that content was at risk, since it was all internal and not directly connected to the internet.

Not to mention it adds considerable overhead. Keeping the back-channels unencrypted reduces the bandwidth and speeds the traffic considerably. Adding encryption to anything slows it down (though that can be managed.) For most websites using back-channel connections to databases, if encryption is turned on, they run the risk of DoS if there are a high number of queries against the database, and most will turn off the encryption, especially if using local sockets/pipes, even if someone sitting on the machine can compromise these, just to keep everything smooth.

I’d go even further on your statement that it wasn’t considered a hole…Until the NSA was found to have a backdoor in their network, anyone who would have suggested that they would encrypt all their out-of-bound/back-channel comms would likely (and quite reasonably) have been fired.

John Fenderson (profile) says:

Re: Re: Re:

encrypting internal network traffic is pretty extreme. I doubt you do it at home yourself.

I actually do this on my home network. It’s not really as bad as it might sound, and the performance hit isn’t noticeable.

Of course, I’m moving a metric hit-ton less data around than an outfit like Yahoo. The larger the scale, the more of a hit something like this causes.

ltlw0lf (profile) says:

Re: Re: Re: Re:

Actaully, if all your home computers are connected to your home’s WIFI access point, most probably you’re encrypting it already.

Doubtful, especially if you aren’t using 802.1x and wireless separation mode. Everyone on the network has the session key and can decrypt everyone else’s traffic. Only outsiders can’t decrypt the traffic (unless you are using a short key, WPS, WPA 1 or WEP, in which case, they probably can.) And it isn’t going to stop the NSA, who just hires your provider to give the unencrypted traffic from the backbone or compromises your switch/router to grab the traffic which is unencrypted on the wired LAN.

silverscarcat (profile) says:

Re: Re:

Yes, because surely nothing bad would happen by refusing the orders of the U.S. government when you can’t put any specifics out.

Right, Lavabit creator Ladar Levinson and Qwest? Surely they didn’t suffer because they wouldn’t play ball with the U.S. government, got funding pulled from their services and had to shut down.

Surely that didn’t happen.

vastrightwing (profile) says:

Re: Re:

You stole my thunder!

Let’s not forget the little problem of secret keys. Yes, what is their policy of giving the feds the keys to these new encrypted channels?

Will they also implement a kill switch; like post:

“We have not received a request to decrypt or otherwise remove the integrity of our encrypted channel?”

so that if they do have to comply with a request to do so, this line of text would have to be taken down?

I’m sorry; all the animals are out of the barn. There is no point of closing the doors now.

That One Guy (profile) says:

Re: Re: Re:

Let’s not forget the little problem of secret keys. Yes, what is their policy of giving the feds the keys to these new encrypted channels?

Given the NSA went through all the trouble of tapping their data center lines directly, I’d say odds are pretty poor, as that’s not the actions of a group that’s been given the okay by the company to spy on such traffic, but rather a group that either did ask and was denied, or doesn’t even want to ask because they think they will be denied.

I’m sorry; all the animals are out of the barn. There is no point of closing the doors now.

I’m confused, are you arguing for or against the NSA here?

The thinking of ‘oh they’ve already tapped the unencrypted data, no sense in encrypting it now’ plays right into the NSA’s hands, whereas encrypting, even if it’s broken, at least makes them work to do so, and removes their current access.

Me says:

“This is just P.R. from Google and Yahoo.”
__________________________________________

While it’s true that the keys can just be handed over to the NSA, encryption plays an essential role in protecting communications and data from nefarious third parties as well, to whom google/yahoo/microsoft at least aren’t turning over the keys.

Security nihilists are the absolute worst.

out_of_the_blue says:

Re: @ "Me" - "at least aren't turning over the keys."

You have NO way of knowing what the mega-corporations are actually doing, how many corporations are conspiring against our privacy in the absence of anti-trust enforcement and the open fascism, and so re-inforce the AC’s point which is aimed at fools who trust without any evidence at all.

Also, from the underlines “___” as divider, you’re apparently the “lots of lines” AC who was trolling me last week, and still don’t know the horizontal rule tag.


The world is being dumbed-down in ways most people are already too stupid to grasp.

03:03:21[d-10-3] [ This is necessary to suppress the kids here from fraud of using my screen name. ]

Gwiz (profile) says:

Re: Re: @ "Me" - "at least aren't turning over the keys."

Also, from the underlines “___” as divider, you’re apparently the “lots of lines” AC who was trolling me last week, and still don’t know the horizontal rule tag.

Strictly from an aesthetics point of view, Me’s addition of the short line separating the quoted text from his own is visually appealing to the eye and adds to the overall ambiance of the comment. I give it a 8.5.

Whereas your comment with the ugly long line separating your top lines of your bullshit from the bottom lines of your bullshit offends my artistic sensibilities. I give yours a 1.0. Maybe you should put a little more effort into it.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...