Yahoo Rolls Out End-To-End Encryption For Email

from the good-move! dept

Back in 2012 (pre-Snowden!), we wrote about why Google should encrypt everyone’s emails using end-to-end encryption (inspired by a post by Julian Sanchez saying the same thing). Since then, securing private communications has become increasingly important. That’s why we were happy to see Google announce that it was, in fact, working on a project to enable end-to-end encryption on Gmail, though it was still in the early stages. In December of last year, Google moved that project to Github, showing that it was advancing nicely. As we noted at the time, one interesting sidenote on this was that Yahoo’s Chief Security Officer, Alex Stamos, was contributing to the project as well.

Thus it’s not surprising, but still great to see, that Stamos has now announced the availability of an end-to-end encryption extension for Yahoo Mail (also posted to Yahoo’s Github repository). It appears to function similarly to existing third-party extensions (like Mailvelope), but it’s still good to see the big webmail providers like Yahoo and Google taking this issue more seriously. It’s still not ready for prime time, and it’s unlikely that either provider is going to make this a default option any time soon, but offering more, better (and more user friendly) options to give everyone at least the option of doing end-to-end encryption is a very good sign.

It also raises a separate issue that I think is important: many have argued that companies like Yahoo and especially Google would never actually push for end-to-end encryption of emails, because it takes away the ability of those companies to do contextual advertising within those emails. But that’s an exceptionally short-sighted view. If Google, Yahoo and others don’t do enough to protect their users’ privacy, those users will go elsewhere, and then it won’t matter whether or not the emails are encrypted, because they won’t see them anyway. Focusing on the user first is always going to be the right solution, and that includes encrypting emails, even if it means slightly less ad revenue in the short term. Hopefully, Google, Yahoo and others remember this simple fact.

Filed Under: , , ,
Companies: yahoo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Yahoo Rolls Out End-To-End Encryption For Email”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

Sure it does… it makes their job a lot more difficult. End-to-end means that only you and the recipient get to have the decryption key. So it doesn’t matter how much data they snarf down, it will be useless unless they’ve got a targeted keylogger or other data exfiltration device on your system. They can’t just “big data” this stuff, as the data would be way too big if they collected everything on all endpoints. So end-to-end forces them to behave the way they should be already.

Anonymous2 says:

Re: Re:

Oh, yes it does. The problem is that we don’t yet have an end-to-end encryption convention simple enough so everyone can use it by default.

Google and Yahoo efforts really advance the situation by attempting a solution easy enough that everyone can put it in place. The ‘easy for everyone to use by default’ will mean it will not be bullet-proof. It doesn’t have to be to put a stop to bulk privacy invasions into personal information. We need this default universal protection with as little delay as possible.

Once universally in place, work can proceed to eventually reduce inevitable early vulnerabilities exposed to the sufficiently-determined and sufficiently-financed.

Anonymous2 says:

Re: Re: Re:2 Re:

Both points are correct.

Right now, I have no email security beyond using a non-invasive email host, even though I would be willing to work to achieve it. The problem is that no one I communicate with would be willing or able to put in a similar effort.

If a trivially-installed encryption framework can be worked out that can be incrementally improved, then we would reach the critical mass to make everyone’s private communications more secure.

Of course, many will not handle their private keys properly, and any communication with them could be hacked. But it would take an effort to do many such individual hackings, and people can learn to improve defenses over time if it can be done in small increments.

Until that basic framework is in place, honest private email conversations will remain choked and guarded. Freedom of private speech is very difficult under such conditions.

That One Guy (profile) says:

Re: Re:

The point isn’t to make it impossible for the spy agencies, as if they really want access to your communications bad enough, they will find a way to do so. No, the point is to make them work for it, to make it more trouble than it’s worth breaking the encryption when they have no idea if anything protected by it will be of any interest or use.

Make it a big enough pain, and mass-spying suddenly becomes a lot less enticing to the voyeurs staffing those agencies, ideally either making them spend time and money cracking the encryption to people’s communications, or not bothering at all and shifting their focus back on targeted investigations.

Anonymous Anonymous Coward says:


At the same time they are providing a no password solution tied to phone numbers. One article I read suggested that some teen girls should be careful of letting their younger brothers (or parents) borrow the phone.

I might use the encryption if I felt there was a need (have to see how it works, like how does the recipient get the code?) but would NEVER use a cellphone number as a password (the fact that I no longer own a cellphone not withstanding).

I don’t like passwords and keep hoping for a better (and secure (iris scans and finger prints don’t seem like solutions as once the ‘image’ is made it is emanatly copy-able)) solution. I use PasswordManager (Bruce Schneier originated) and could not possibly tell you what my passwords are (with the exception of PasswordManager and two computer logins), the other two or three dozen are created by PasswordManager, and it does the typing for me. Without PasswordManager I could not log into my email accounts.

Ninja (profile) says:

Re: Yet

As far as I understood it’s an app that generates passwords tied to the current date and time, much like Google auth. You could encrypt your phone with a key and further protect this password generator (that should be open for use with any service that requires random key generators so you can put everything in one place and secure that place accordingly). You still need to remember some passwords (two if you encrypt your phone and lock the app) but nothing more. Also, like Google auth, it seems connections are factored out.

I’d argue that you could make things safer if there was a standalone device that would act solely as the key generator instead of bundling it with a computer (cellphone) but it’s at least a start.

Anonymous Coward says:

Nobody of value uses Yahoo -- and nobody should

Yahoo is one of the very worst-run operations on the Internet. The incompetence and negligence there is stunning in terms of both its pervasiveness and its longevity — so much so that it’s difficult to find superlatives that adequately cover it.

Yahoo is completely overrun with spammers and phishers. Yahoo has massive security holes — it wouldn’t surprise me if attackers have gained control of parts of their infrastructure. Yahoo not only doesn’t act on mail sent from network peers to role accounts (e.g., postmaster, hostmaster, abuse, etc.) but responses — if any — are incoherent and illiterate. (I have a file full of them, including some that show their inability to look at mail headers and recognize their own users on their own systems on their own network.) Yahoo stupidly enabled DMARC a year ago, ostensibly to deal with forgery, thus breaking every mailing list on the Internet and doing NOTHING about the tens of millions of compromised accounts that send traffic dutifully marked by DMARC as authentic.

More briefly: Yahoo is a shithole of spam, abuse, phishing, kiddie porn, scams, hacks, and forgery — and if it closed down tomorrow, this would be a huge benefit for the rest of the Internet. Yahoo could try to fix this of course but it apparently prefers to spend its money on $500M acquisitions rather than behaving as a responsible, professional, competent, ethical member of the community.

And Stamos? A shill. A mouthpiece. A front. No more. Why do you think he’s blathering about this utterly worthless project rather than attacking the core problems? It’s a PR stunt designed to distract attention and it’s working.

Ninja (profile) says:

Re: Nobody of value uses Yahoo -- and nobody should

I can’t dispute your assertions since I don’t use Yahoo but honestly I seldom receive spam from Yahoo addresses. Amuzingly I get more spam from Gmail itself (my provider) than Yahoo or Microsoft. But even if you sum all three it doesn’t even come close to 1% of the rest of the domains. I’ve built my custom filter with most of the offenders so today when I get spam it’s only from newly compromised servers so it has been reduced to one or two spam mails a week.

So my point is, do you have articles and sources that provide facts and proper explanations to your assertions? I’m not mocking you or anything, it’s an honest question.

Anonymous Coward says:

Re: Re: Nobody of value uses Yahoo -- and nobody should

I have an old Yahoo email address. After reading this news (right here on Techdirt), for the first time in many months, I went over to Yahoo and logged in. The user interface has been changed for the worse, is incredibly slow to the point of timeouts (running latest Firefox), and very spammy tasteless sponsored ads (stuff like supplements, dating sites, get-rich-quick schemes all with unblockeable images) are impossible to remove without signing up for the non-free service. I couldn’t find any mention of any new features (such as encryption). In fact as soon as I saw the spammy unremoveable ads I backed out as quickly as possible (I have a ton of adblockers and script blockers, and it’s been a while since I saw any ad but these were right in the email inbox). I don’t want to go there again, my PC needs a wash, and the whole thing felt so sleazy that gmail is virginal and pure by comparison. Yuk.

John Fenderson (profile) says:

I wonder...

If Google, Yahoo and others don’t do enough to protect their users’ privacy, those users will go elsewhere, and then it won’t matter whether or not the emails are encrypted, because they won’t see them anyway.

It seems to me that people who are concerned about privacy already avoid using mail services that do contextual advertising, so I wonder how strong that effect would be.

sanskaar (profile) says:

Sanskaar Kids Kingdom is a play gruop school

Our Pedagogy is researched and different form all other methodology. Sanskaar has developed Sanskaar Unique Method (SUM) .It is very much scientific, psychology and practical. We not work on learning but also on learning habits.
SUM is based on Involvement of Dramaturgy in Education Application (IDEA). Realism, Simple to Complex and known to Unknown are key mantras of pedagogy.

rahul (user link) says:

Indian Business Directory, Local Search Engine in India

We are among the top Local Search Engine Company India offering many packages which helps to support your website at the top on the Google pages. We, at India Internet present you with the very best web promotion services bringing your websites in top search results. We help you to get the traffic of your website.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...