Yahoo Says It Will Encrypt All Data Center Data Transfers Now Too
from the thank-ed-snowden dept
If you use Yahoo, you can now thank Ed Snowden for the fact that your data is soon going to be more secure. Last week, we noted that Microsoft still wasn’t encrypting traffic on the private lines between its data centers, and that Yahoo had suggested the same thing was true, given their very vague answer when asked about it all. Google, on the other hand, had been feverishly encrypting the traffic flows since the summer. Now, Yahoo’s CEO Marissa Mayer has directly addressed the issue, announcing that they’re working hard to encrypt all such data transfers and that they’ll have the job done by the end of March in 2014. Also, perhaps equally or more importantly, they’re planning to offer users the option to encrypt all the data in and out of Yahoo by that same date. Yahoo had been a bit slower than others to really recognize the importance of encryption, but it looks like they’re going all in now — which is great to see. And, if you remaining Yahoo users out there want to thank anyone, you might want to direct that appreciation towards Ed Snowden. Without him, it’s quite unlikely this would be happening right now.
Filed Under: data centers, ed snowden, encryption, marissa mayer
Companies: yahoo
Comments on “Yahoo Says It Will Encrypt All Data Center Data Transfers Now Too”
Why did Ladar Levinson shutter Lavabit,.. Oh that right the NSA demanded his keys under a gag order. It is up to individuals and companies to manage their own keys.
Re: Lavabit
When the FBI asked LL for his SSL keys he refused. He was told to present himself in Washington at his cost within a week. He could not find a DC licensed lawyer he could afford in time (esp since he couldn’t say before retaining the lawyer what the job entailed).
Imagine the same scenario again but with Google.
They’d walk into court in Washington fully armed and push back big time. And I reckon the original offer (to write code to allow SPECIFIC tapping of one user) that LL made would be what the judge would settle for.
I honestly think Google would take this legal fight to its logical conclusion, but LL was simply not equipped to do so.
Or maybe i’m just being naive…
“Google, on the other hand, had been feverishly encrypting the traffic flows since the summer”
1- You have no guarantees of that
2- Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)…which, according to the Snowden leaks, they are more than happy to do.
3- Even assuming that they are encrypting data now AND that that the NSA doesn’t have the keys, uh, why only start encrypting now? This should’ve been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?
This is just P.R. from Google and Yahoo.
I don’t buy it.
Re: Re:
“you people”
lol – cracks me up.
“i dont buy it”
too funny
Re: Re:
1- You have no guarantees of that
This is true, however it would be unlikely they would say that and risk being found out.
2- Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)…which, according to the Snowden leaks, they are more than happy to do.
It would still of course keep out non-NSA actors!
While I do not agree with the mass data (or even smaller scale efforts being carried out currently by the NSA I seriously doubt someone there would steal my Credit Card number and buy crap online. This will at least help keep out those that would.
3- Even assuming that they are encrypting data now AND that that the NSA doesn’t have the keys, uh, why only start encrypting now? This should’ve been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?
During the time Yahoo was building “from the ground up” these precautions on a closed network running between their own installations did not seem necessary. Not it seems that it is and they are doing something about it.
Re: Re:
Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)…which, according to the Snowden leaks, they are more than happy to do.
Can you point to where in the Snowden leaks to date it has said that any of these companies willingly hands over encryption keys? Because it’s not there.
Even assuming that they are encrypting data now AND that that the NSA doesn’t have the keys, uh, why only start encrypting now? This should’ve been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?
Honestly, encrypting internal network traffic is pretty extreme. I doubt you do it at home yourself. Yes, we can say that they should have done it in the first place, but there honestly was no reason to believe that content was at risk, since it was all internal and not directly connected to the internet.
And they didn’t “intentionally leave a hole.” They thought, quite reasonably, that it wasn’t a hole. And, when they discovered the backdoor in, they worked to shut it. That’s a good thing.
Re: Re: Re:
Honestly, encrypting internal network traffic is pretty extreme. I doubt you do it at home yourself. Yes, we can say that they should have done it in the first place, but there honestly was no reason to believe that content was at risk, since it was all internal and not directly connected to the internet.
Not to mention it adds considerable overhead. Keeping the back-channels unencrypted reduces the bandwidth and speeds the traffic considerably. Adding encryption to anything slows it down (though that can be managed.) For most websites using back-channel connections to databases, if encryption is turned on, they run the risk of DoS if there are a high number of queries against the database, and most will turn off the encryption, especially if using local sockets/pipes, even if someone sitting on the machine can compromise these, just to keep everything smooth.
I’d go even further on your statement that it wasn’t considered a hole…Until the NSA was found to have a backdoor in their network, anyone who would have suggested that they would encrypt all their out-of-bound/back-channel comms would likely (and quite reasonably) have been fired.
Re: Re: Re:
I actually do this on my home network. It’s not really as bad as it might sound, and the performance hit isn’t noticeable.
Of course, I’m moving a metric hit-ton less data around than an outfit like Yahoo. The larger the scale, the more of a hit something like this causes.
Re: Re: Re:
Actaully, if all your home computers are connected to your home’s WIFI access point, most probably you’re encrypting it already.
Re: Re: Re: Re:
Actaully, if all your home computers are connected to your home’s WIFI access point, most probably you’re encrypting it already.
Doubtful, especially if you aren’t using 802.1x and wireless separation mode. Everyone on the network has the session key and can decrypt everyone else’s traffic. Only outsiders can’t decrypt the traffic (unless you are using a short key, WPS, WPA 1 or WEP, in which case, they probably can.) And it isn’t going to stop the NSA, who just hires your provider to give the unencrypted traffic from the backbone or compromises your switch/router to grab the traffic which is unencrypted on the wired LAN.
nothing like shutting the barn door after the horse has bolted, eh? and exactly how much resistance was put up in the first place? nowhere enough, obviously!
Re: Re:
Yes, because surely nothing bad would happen by refusing the orders of the U.S. government when you can’t put any specifics out.
Right, Lavabit creator Ladar Levinson and Qwest? Surely they didn’t suffer because they wouldn’t play ball with the U.S. government, got funding pulled from their services and had to shut down.
Surely that didn’t happen.
Re: Re:
You stole my thunder!
Let’s not forget the little problem of secret keys. Yes, what is their policy of giving the feds the keys to these new encrypted channels?
Will they also implement a kill switch; like post:
“We have not received a request to decrypt or otherwise remove the integrity of our encrypted channel?”
so that if they do have to comply with a request to do so, this line of text would have to be taken down?
I’m sorry; all the animals are out of the barn. There is no point of closing the doors now.
Re: Re: Re:
Let’s not forget the little problem of secret keys. Yes, what is their policy of giving the feds the keys to these new encrypted channels?
Given the NSA went through all the trouble of tapping their data center lines directly, I’d say odds are pretty poor, as that’s not the actions of a group that’s been given the okay by the company to spy on such traffic, but rather a group that either did ask and was denied, or doesn’t even want to ask because they think they will be denied.
I’m sorry; all the animals are out of the barn. There is no point of closing the doors now.
I’m confused, are you arguing for or against the NSA here?
The thinking of ‘oh they’ve already tapped the unencrypted data, no sense in encrypting it now’ plays right into the NSA’s hands, whereas encrypting, even if it’s broken, at least makes them work to do so, and removes their current access.
Open Letter to Ed Snowden
Sir,
Thank you for your sacrifice in doing the right thing. I feel ashamed that our nation which I have spent over 18 years defending has subjected you to such treatment. When you are able to come back home, I would love to buy you a beer. Stay safe. And know that all history books will list you as a hero.
But can they be trusted?
How are we to know that they are not handing over the encryption keys to NSA/GCHQ – maybe thats why it took so long for them to say anything because they had to come an arrangement with NSA/GCHQ before announcing this.
W’re a’ doomed.
Were these data link hacks rubber stamped by the FISA court or did the NSA just feel that since they approved nearly every thing else they did they could just do whatever they wanted? If some hacker did this the computer crimes laws would put him away for life but it’s OK for the government, right?
“This is just P.R. from Google and Yahoo.”
__________________________________________
While it’s true that the keys can just be handed over to the NSA, encryption plays an essential role in protecting communications and data from nefarious third parties as well, to whom google/yahoo/microsoft at least aren’t turning over the keys.
Security nihilists are the absolute worst.
Re: @ "Me" - "at least aren't turning over the keys."
You have NO way of knowing what the mega-corporations are actually doing, how many corporations are conspiring against our privacy in the absence of anti-trust enforcement and the open fascism, and so re-inforce the AC’s point which is aimed at fools who trust without any evidence at all.
Also, from the underlines “___” as divider, you’re apparently the “lots of lines” AC who was trolling me last week, and still don’t know the horizontal rule tag.
The world is being dumbed-down in ways most people are already too stupid to grasp.
03:03:21[d-10-3] [ This is necessary to suppress the kids here from fraud of using my screen name. ]
Re: Re: @ "Me" - "at least aren't turning over the keys."
Also, from the underlines “___” as divider, you’re apparently the “lots of lines” AC who was trolling me last week, and still don’t know the horizontal rule tag.
Strictly from an aesthetics point of view, Me’s addition of the short line separating the quoted text from his own is visually appealing to the eye and adds to the overall ambiance of the comment. I give it a 8.5.
Whereas your comment with the ugly long line separating your top lines of your bullshit from the bottom lines of your bullshit offends my artistic sensibilities. I give yours a 1.0. Maybe you should put a little more effort into it.
Running around with a tinfoil hat on
It is my opinion that when the US stopped believing in the insane idea that RSA encryption was munitions (to prevent encryption from going overseas) the NSA had broken the encryption. Encrypt all you want — it just means there is a delay before the NSA will have the plain text.
Re: Running around with a tinfoil hat on
The effort that NSA has gone to to get unencrypted data suggests that RSA seriously compromises their ability to read encrypted messages. If they do have a way in, it probably costs far too much computer power to deal with bulk data gathering.
Does Snowden has a bitcoin wallet?
http://money.cnn.com/2013/11/18/investing/bitcoin-china/index.html?hpt=hp_t5
If he don’t he should.
Ugh, as if Yahoo doesn’t have enough on their plate, fixing the “improvement” to their mail site that has nothing but slow-downs, glitches, and complaints from day-one. Hey, let’s add in encryption to it all!
Who?
> If you use Yahoo, you can now thank Ed Snowden . . .
If I use Ya Who? Who are they?
Look we are cool too like Google, we’re gonna encrypt everything.
because it will look bad if it doesn’t but it will, secretly but freely, give over the encryption key(s) to the NSA.