Email

by Mike Masnick


Filed Under:
email, encryption, end to end, end to end encryption

Companies:
yahoo



Yahoo Rolls Out End-To-End Encryption For Email

from the good-move! dept

Back in 2012 (pre-Snowden!), we wrote about why Google should encrypt everyone's emails using end-to-end encryption (inspired by a post by Julian Sanchez saying the same thing). Since then, securing private communications has become increasingly important. That's why we were happy to see Google announce that it was, in fact, working on a project to enable end-to-end encryption on Gmail, though it was still in the early stages. In December of last year, Google moved that project to Github, showing that it was advancing nicely. As we noted at the time, one interesting sidenote on this was that Yahoo's Chief Security Officer, Alex Stamos, was contributing to the project as well.

Thus it's not surprising, but still great to see, that Stamos has now announced the availability of an end-to-end encryption extension for Yahoo Mail (also posted to Yahoo's Github repository). It appears to function similarly to existing third-party extensions (like Mailvelope), but it's still good to see the big webmail providers like Yahoo and Google taking this issue more seriously. It's still not ready for prime time, and it's unlikely that either provider is going to make this a default option any time soon, but offering more, better (and more user friendly) options to give everyone at least the option of doing end-to-end encryption is a very good sign.

It also raises a separate issue that I think is important: many have argued that companies like Yahoo and especially Google would never actually push for end-to-end encryption of emails, because it takes away the ability of those companies to do contextual advertising within those emails. But that's an exceptionally short-sighted view. If Google, Yahoo and others don't do enough to protect their users' privacy, those users will go elsewhere, and then it won't matter whether or not the emails are encrypted, because they won't see them anyway. Focusing on the user first is always going to be the right solution, and that includes encrypting emails, even if it means slightly less ad revenue in the short term. Hopefully, Google, Yahoo and others remember this simple fact.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    avideogameplayer, 17 Mar 2015 @ 4:14pm

    Encryption doesn't mean shit if the NSA can just use their NSLs or just hack into any and all accounts...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Mar 2015 @ 4:21pm

      Re:

      Not everyone's threat model includes USG.

      reply to this | link to this | view in chronology ]

      • icon
        Max (profile), 17 Mar 2015 @ 4:35pm

        Re: Re:

        Well seeing as how 99.99% of ordinary people have NOBODY ELSE interested in their mail, what good any encryption is to them if it can't even keep out the one foe they know is snooping on them - the USG?!?

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Mar 2015 @ 8:59pm

        Re: Re:

        "Not everyone's threat model includes USG."

        My threat model includes everyone but the intended recipient.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Mar 2015 @ 5:09pm

      Re:

      Sure it does... it makes their job a lot more difficult. End-to-end means that only you and the recipient get to have the decryption key. So it doesn't matter how much data they snarf down, it will be useless unless they've got a *targeted* keylogger or other data exfiltration device on your system. They can't just "big data" this stuff, as the data would be way too big if they collected everything on all endpoints. So end-to-end forces them to behave the way they should be already.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous2, 17 Mar 2015 @ 5:30pm

      Re:

      Oh, yes it does. The problem is that we don't yet have an end-to-end encryption convention simple enough so everyone can use it by default.

      Google and Yahoo efforts really advance the situation by attempting a solution easy enough that everyone can put it in place. The 'easy for everyone to use by default' will mean it will not be bullet-proof. It doesn't have to be to put a stop to bulk privacy invasions into personal information. We need this default universal protection with as little delay as possible.

      Once universally in place, work can proceed to eventually reduce inevitable early vulnerabilities exposed to the sufficiently-determined and sufficiently-financed.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Mar 2015 @ 9:09pm

        Re: Re:

        "The 'easy for everyone to use by default' will mean it will not be bullet-proof."

        Hmm, "security through insecurity". How very Orwellian.

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 18 Mar 2015 @ 7:52am

          Re: Re: Re:

          I don't think that's what he's saying. I think he's saying that some level of security is better than no security at all.

          Also, there's no such thing as "bulletproof" security anyway.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous2, 18 Mar 2015 @ 9:34am

            Re: Re: Re: Re:

            Both points are correct.

            Right now, I have no email security beyond using a non-invasive email host, even though I would be willing to work to achieve it. The problem is that no one I communicate with would be willing or able to put in a similar effort.

            If a trivially-installed encryption framework can be worked out that can be incrementally improved, then we would reach the critical mass to make everyone's private communications more secure.

            Of course, many will not handle their private keys properly, and any communication with them could be hacked. But it would take an effort to do many such individual hackings, and people can learn to improve defenses over time if it can be done in small increments.

            Until that basic framework is in place, honest private email conversations will remain choked and guarded. Freedom of private speech is very difficult under such conditions.

            reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 17 Mar 2015 @ 8:16pm

      Re:

      The point isn't to make it impossible for the spy agencies, as if they really want access to your communications bad enough, they will find a way to do so. No, the point is to make them work for it, to make it more trouble than it's worth breaking the encryption when they have no idea if anything protected by it will be of any interest or use.

      Make it a big enough pain, and mass-spying suddenly becomes a lot less enticing to the voyeurs staffing those agencies, ideally either making them spend time and money cracking the encryption to people's communications, or not bothering at all and shifting their focus back on targeted investigations.

      reply to this | link to this | view in chronology ]

    • identicon
      Paul, 19 Mar 2015 @ 6:50am

      Re: End-to-end encryption

      That's the point of end-to-end encryption, you have the keys in your possession, not on the providers servers. Even with NSL's, all the NSA will get is encrypted data from the provider...

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Anonymous Coward, 17 Mar 2015 @ 4:23pm

    Yet

    At the same time they are providing a no password solution tied to phone numbers. One article I read suggested that some teen girls should be careful of letting their younger brothers (or parents) borrow the phone.

    I might use the encryption if I felt there was a need (have to see how it works, like how does the recipient get the code?) but would NEVER use a cellphone number as a password (the fact that I no longer own a cellphone not withstanding).

    I don't like passwords and keep hoping for a better (and secure (iris scans and finger prints don't seem like solutions as once the 'image' is made it is emanatly copy-able)) solution. I use PasswordManager (Bruce Schneier originated) and could not possibly tell you what my passwords are (with the exception of PasswordManager and two computer logins), the other two or three dozen are created by PasswordManager, and it does the typing for me. Without PasswordManager I could not log into my email accounts.

    reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 18 Mar 2015 @ 3:31am

      Re: Yet

      As far as I understood it's an app that generates passwords tied to the current date and time, much like Google auth. You could encrypt your phone with a key and further protect this password generator (that should be open for use with any service that requires random key generators so you can put everything in one place and secure that place accordingly). You still need to remember some passwords (two if you encrypt your phone and lock the app) but nothing more. Also, like Google auth, it seems connections are factored out.

      I'd argue that you could make things safer if there was a standalone device that would act solely as the key generator instead of bundling it with a computer (cellphone) but it's at least a start.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Mar 2015 @ 4:33pm

    I'll believe Yahoo Mail is secure, right after Hillary

    starts using it.

    reply to this | link to this | view in chronology ]

  • identicon
    Dan, 17 Mar 2015 @ 5:42pm

    As long as it is compatible with GnuPG that we old folks still use with our quaint "mail client", then it's all good. In fact, I already use TBird+Enigmail on my my Yahoo email which I access via POP3.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Mar 2015 @ 3:14am

    Nobody of value uses Yahoo -- and nobody should

    Yahoo is one of the very worst-run operations on the Internet. The incompetence and negligence there is stunning in terms of both its pervasiveness and its longevity -- so much so that it's difficult to find superlatives that adequately cover it.

    Yahoo is completely overrun with spammers and phishers. Yahoo has massive security holes -- it wouldn't surprise me if attackers have gained control of parts of their infrastructure. Yahoo not only doesn't act on mail sent from network peers to role accounts (e.g., postmaster, hostmaster, abuse, etc.) but responses -- if any -- are incoherent and illiterate. (I have a file full of them, including some that show their inability to look at mail headers and recognize their own users on their own systems on their own network.) Yahoo stupidly enabled DMARC a year ago, ostensibly to deal with forgery, thus breaking every mailing list on the Internet and doing NOTHING about the tens of millions of compromised accounts that send traffic dutifully marked by DMARC as authentic.

    More briefly: Yahoo is a shithole of spam, abuse, phishing, kiddie porn, scams, hacks, and forgery -- and if it closed down tomorrow, this would be a huge benefit for the rest of the Internet. Yahoo could try to fix this of course but it apparently prefers to spend its money on $500M acquisitions rather than behaving as a responsible, professional, competent, ethical member of the community.

    And Stamos? A shill. A mouthpiece. A front. No more. Why do you think he's blathering about this utterly worthless project rather than attacking the core problems? It's a PR stunt designed to distract attention and it's working.

    reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 18 Mar 2015 @ 3:44am

      Re: Nobody of value uses Yahoo -- and nobody should

      I can't dispute your assertions since I don't use Yahoo but honestly I seldom receive spam from Yahoo addresses. Amuzingly I get more spam from Gmail itself (my provider) than Yahoo or Microsoft. But even if you sum all three it doesn't even come close to 1% of the rest of the domains. I've built my custom filter with most of the offenders so today when I get spam it's only from newly compromised servers so it has been reduced to one or two spam mails a week.

      So my point is, do you have articles and sources that provide facts and proper explanations to your assertions? I'm not mocking you or anything, it's an honest question.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Mar 2015 @ 4:16am

        Re: Re: Nobody of value uses Yahoo -- and nobody should

        I have an old Yahoo email address. After reading this news (right here on Techdirt), for the first time in many months, I went over to Yahoo and logged in. The user interface has been changed for the worse, is incredibly slow to the point of timeouts (running latest Firefox), and very spammy tasteless sponsored ads (stuff like supplements, dating sites, get-rich-quick schemes all with unblockeable images) are impossible to remove without signing up for the non-free service. I couldn't find any mention of any new features (such as encryption). In fact as soon as I saw the spammy unremoveable ads I backed out as quickly as possible (I have a ton of adblockers and script blockers, and it's been a while since I saw any ad but these were right in the email inbox). I don't want to go there again, my PC needs a wash, and the whole thing felt so sleazy that gmail is virginal and pure by comparison. Yuk.

        reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 18 Mar 2015 @ 7:50am

    I wonder...

    If Google, Yahoo and others don't do enough to protect their users' privacy, those users will go elsewhere, and then it won't matter whether or not the emails are encrypted, because they won't see them anyway.


    It seems to me that people who are concerned about privacy already avoid using mail services that do contextual advertising, so I wonder how strong that effect would be.

    reply to this | link to this | view in chronology ]

  • identicon
    Miss Brewer, 1 Feb 2016 @ 8:06pm

    How to block porn sent from an encrypted email!!!!

    How do you stop someone from sending you porn when they have encrypted there email.

    reply to this | link to this | view in chronology ]

  • identicon
    den walker, 25 Jan 2017 @ 2:18am

    Yahoo google time to time try to update security policies to secure their user's account, end to end encryption of emails data makes yahoo more secure and easy to access

    reply to this | link to this | view in chronology ]

  • identicon
    Emailsuport, 14 Jun 2017 @ 4:48am

    Google becomes a lot secure. But yahoo still need so many changes in email.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.