Yahoo to introduce end to end encryption for emails next year
August 8, 2014 |
Encryption should be part of an organisation’s data security framework. Encrypting personal information reduces the likelihood that a breach of data security by a cyber attack will directly impact an organisation’s customers. Encrypting emails, currently possible with the appropriate programs, is not generally used by the mail internet service providers. Given personal information is often transmitted via email there is a risk of a privacy breach if email is intercepted and viewed by third parties. In the USA that has the additional overlay of the NSA’s prism program which has involved mass collection of emails and other data. The politics are one thing but the harm to the business reputation of internet service providers is another. Google, Microsoft and others, including Yahoo, have not enjoyed being seen as a cypher for a governmental collection program. Some, perhaps much, of that criticism has been unwarranted or at least exaggerated but in a market where users have concerns about security and privacy the Snowden revelations have caused industry wide damage.
It is therefore not surprising that Yahoo has announced, as reported in Yahoo to Release End-to-End Encryption for Email Users, that it will be enabling end to end encryption for all its Mail users.
The article provides:
Yahoo plans to enable end-to-end encryption for all of its Mail users next year. The company is working with Google on the project and the encryption will be mostly transparent for users, making it as simple as possible to use.
Alex Stamos, CISO at Yahoo, said that the project has been a priority since he joined the company a few months ago and will be a key way to make online life safer for millions of users. Yahoo is using the browser plugin Google released in June that enables end-to-end encryption of all data leaving the browser. Stamos said Yahoo is working to ensure that its system works well with Google’s so that encrypted communications between Yahoo Mail and Gmail users will be simple.
“The goal is to have complete compatibility with Gmail,” Stamos said during a talk at the Black Hat USA conference here Thursday.
The email encryption isn’t the only security improvement on the horizon for Yahoo. The company is also working on enabling HSTS on its servers, as well as certificate transparency. HSTS (HTTP strict transport security) allows Web sites to tell users’ browsers that they only want to communicate over an encrypted connection. The certificate transparency concept involves a system of public logs that list all certificates issued by cooperating certificate authorities. It requires the CAs to voluntarily submit their certificates, but it would help protect against attacks such as spoofing Web sites or man-in-the-middle.
The security upgrades on the docket at Yahoo are aimed at making it easier for everyday users to use the Internet safely and securely, without needing to be security or privacy experts, Stamos said. The security industry spends a lot of time working out defenses and new products to protect against exotic attacks while users are being targeted by much more mundane attacks that still don’t have effective solutions.
“Post-Snowden, we have a strain of nihilism that’s keeping us from focusing on what’s real,” Stamos said. “We as an industry have failed. We’ve failed to keep users safe.
“If we can’t build systems that our users in the twenty-fifth percentile can use, we’re failing. And we are failing. We don’t build systems that normal people can use.”
From a Privacy Act perspective this development would clearly be appropriate and may even establish a benchmark that other organisations should use, either through ISPs or other programs such as P2P. It is likely that governmental agencies will be less enthused as it makes for less ease in accessing the contents of emails collected by them. Without a back door or the encryption key the cost in time and resources in decrypting emails will be significant.