Yahoo Says It Will Encrypt All Data Center Data Transfers Now Too
from the thank-ed-snowden dept
If you use Yahoo, you can now thank Ed Snowden for the fact that your data is soon going to be more secure. Last week, we noted that Microsoft still wasn't encrypting traffic on the private lines between its data centers, and that Yahoo had suggested the same thing was true, given their very vague answer when asked about it all. Google, on the other hand, had been feverishly encrypting the traffic flows since the summer. Now, Yahoo's CEO Marissa Mayer has directly addressed the issue, announcing that they're working hard to encrypt all such data transfers and that they'll have the job done by the end of March in 2014. Also, perhaps equally or more importantly, they're planning to offer users the option to encrypt all the data in and out of Yahoo by that same date. Yahoo had been a bit slower than others to really recognize the importance of encryption, but it looks like they're going all in now -- which is great to see. And, if you remaining Yahoo users out there want to thank anyone, you might want to direct that appreciation towards Ed Snowden. Without him, it's quite unlikely this would be happening right now.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data centers, ed snowden, encryption, marissa mayer
Companies: yahoo
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
1- You have no guarantees of that
2- Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)...which, according to the Snowden leaks, they are more than happy to do.
3- Even assuming that they are encrypting data now AND that that the NSA doesn't have the keys, uh, why only start encrypting now? This should've been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?
This is just P.R. from Google and Yahoo.
I don't buy it.
[ link to this | view in thread ]
[ link to this | view in thread ]
Open Letter to Ed Snowden
Thank you for your sacrifice in doing the right thing. I feel ashamed that our nation which I have spent over 18 years defending has subjected you to such treatment. When you are able to come back home, I would love to buy you a beer. Stay safe. And know that all history books will list you as a hero.
[ link to this | view in thread ]
Re:
lol - cracks me up.
"i dont buy it"
too funny
[ link to this | view in thread ]
But can they be trusted?
W're a' doomed.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Right, Lavabit creator Ladar Levinson and Qwest? Surely they didn't suffer because they wouldn't play ball with the U.S. government, got funding pulled from their services and had to shut down.
Surely that didn't happen.
[ link to this | view in thread ]
__________________________________________
While it's true that the keys can just be handed over to the NSA, encryption plays an essential role in protecting communications and data from nefarious third parties as well, to whom google/yahoo/microsoft at least aren't turning over the keys.
Security nihilists are the absolute worst.
[ link to this | view in thread ]
Running around with a tinfoil hat on
[ link to this | view in thread ]
http://money.cnn.com/2013/11/18/investing/bitcoin-china/index.html?hpt=hp_t5
If he don't he should.
[ link to this | view in thread ]
Re: @ "Me" - "at least aren't turning over the keys."
Also, from the underlines "___" as divider, you're apparently the "lots of lines" AC who was trolling me last week, and still don't know the horizontal rule tag.
The world is being dumbed-down in ways most people are already too stupid to grasp.
03:03:21[d-10-3] [ This is necessary to suppress the kids here from fraud of using my screen name. ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Running around with a tinfoil hat on
[ link to this | view in thread ]
Re: Re: @ "Me" - "at least aren't turning over the keys."
Strictly from an aesthetics point of view, Me's addition of the short line separating the quoted text from his own is visually appealing to the eye and adds to the overall ambiance of the comment. I give it a 8.5.
Whereas your comment with the ugly long line separating your top lines of your bullshit from the bottom lines of your bullshit offends my artistic sensibilities. I give yours a 1.0. Maybe you should put a little more effort into it.
[ link to this | view in thread ]
Who?
If I use Ya Who? Who are they?
[ link to this | view in thread ]
Re:
This is true, however it would be unlikely they would say that and risk being found out.
2- Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)...which, according to the Snowden leaks, they are more than happy to do.
It would still of course keep out non-NSA actors!
While I do not agree with the mass data (or even smaller scale efforts being carried out currently by the NSA I seriously doubt someone there would steal my Credit Card number and buy crap online. This will at least help keep out those that would.
3- Even assuming that they are encrypting data now AND that that the NSA doesn't have the keys, uh, why only start encrypting now? This should've been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?
During the time Yahoo was building "from the ground up" these precautions on a closed network running between their own installations did not seem necessary. Not it seems that it is and they are doing something about it.
[ link to this | view in thread ]
Re:
Can you point to where in the Snowden leaks to date it has said that any of these companies willingly hands over encryption keys? Because it's not there.
Even assuming that they are encrypting data now AND that that the NSA doesn't have the keys, uh, why only start encrypting now? This should've been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?
Honestly, encrypting internal network traffic is pretty extreme. I doubt you do it at home yourself. Yes, we can say that they should have done it in the first place, but there honestly was no reason to believe that content was at risk, since it was all internal and not directly connected to the internet.
And they didn't "intentionally leave a hole." They thought, quite reasonably, that it wasn't a hole. And, when they discovered the backdoor in, they worked to shut it. That's a good thing.
[ link to this | view in thread ]
Re: Lavabit
Imagine the same scenario again but with Google.
They'd walk into court in Washington fully armed and push back big time. And I reckon the original offer (to write code to allow SPECIFIC tapping of one user) that LL made would be what the judge would settle for.
I honestly think Google would take this legal fight to its logical conclusion, but LL was simply not equipped to do so.
Or maybe i'm just being naive...
[ link to this | view in thread ]
Re: Re:
Not to mention it adds considerable overhead. Keeping the back-channels unencrypted reduces the bandwidth and speeds the traffic considerably. Adding encryption to anything slows it down (though that can be managed.) For most websites using back-channel connections to databases, if encryption is turned on, they run the risk of DoS if there are a high number of queries against the database, and most will turn off the encryption, especially if using local sockets/pipes, even if someone sitting on the machine can compromise these, just to keep everything smooth.
I'd go even further on your statement that it wasn't considered a hole...Until the NSA was found to have a backdoor in their network, anyone who would have suggested that they would encrypt all their out-of-bound/back-channel comms would likely (and quite reasonably) have been fired.
[ link to this | view in thread ]
Re:
Let's not forget the little problem of secret keys. Yes, what is their policy of giving the feds the keys to these new encrypted channels?
Will they also implement a kill switch; like post:
"We have not received a request to decrypt or otherwise remove the integrity of our encrypted channel?"
so that if they do have to comply with a request to do so, this line of text would have to be taken down?
I'm sorry; all the animals are out of the barn. There is no point of closing the doors now.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
I actually do this on my home network. It's not really as bad as it might sound, and the performance hit isn't noticeable.
Of course, I'm moving a metric hit-ton less data around than an outfit like Yahoo. The larger the scale, the more of a hit something like this causes.
[ link to this | view in thread ]
Re: Re:
Given the NSA went through all the trouble of tapping their data center lines directly, I'd say odds are pretty poor, as that's not the actions of a group that's been given the okay by the company to spy on such traffic, but rather a group that either did ask and was denied, or doesn't even want to ask because they think they will be denied.
I'm sorry; all the animals are out of the barn. There is no point of closing the doors now.
I'm confused, are you arguing for or against the NSA here?
The thinking of 'oh they've already tapped the unencrypted data, no sense in encrypting it now' plays right into the NSA's hands, whereas encrypting, even if it's broken, at least makes them work to do so, and removes their current access.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
Doubtful, especially if you aren't using 802.1x and wireless separation mode. Everyone on the network has the session key and can decrypt everyone else's traffic. Only outsiders can't decrypt the traffic (unless you are using a short key, WPS, WPA 1 or WEP, in which case, they probably can.) And it isn't going to stop the NSA, who just hires your provider to give the unencrypted traffic from the backbone or compromises your switch/router to grab the traffic which is unencrypted on the wired LAN.
[ link to this | view in thread ]