Yahoo Rolls Out End-To-End Encryption For Email

from the good-move! dept

Tue, Mar 17th 2015 3:55pm — Mike Masnick

Back in 2012 (pre-Snowden!), we wrote about why Google should encrypt everyone's emails using end-to-end encryption (inspired by a post by Julian Sanchez saying the same thing). Since then, securing private communications has become increasingly important. That's why we were happy to see Google announce that it was, in fact, working on a project to enable end-to-end encryption on Gmail, though it was still in the early stages. In December of last year, Google moved that project to Github, showing that it was advancing nicely. As we noted at the time, one interesting sidenote on this was that Yahoo's Chief Security Officer, Alex Stamos, was contributing to the project as well.

Thus it's not surprising, but still great to see, that Stamos has now announced the availability of an end-to-end encryption extension for Yahoo Mail (also posted to Yahoo's Github repository). It appears to function similarly to existing third-party extensions (like Mailvelope), but it's still good to see the big webmail providers like Yahoo and Google taking this issue more seriously. It's still not ready for prime time, and it's unlikely that either provider is going to make this a default option any time soon, but offering more, better (and more user friendly) options to give everyone at least the option of doing end-to-end encryption is a very good sign.

It also raises a separate issue that I think is important: many have argued that companies like Yahoo and especially Google would never actually push for end-to-end encryption of emails, because it takes away the ability of those companies to do contextual advertising within those emails. But that's an exceptionally short-sighted view. If Google, Yahoo and others don't do enough to protect their users' privacy, those users will go elsewhere, and then it won't matter whether or not the emails are encrypted, because they won't see them anyway. Focusing on the user first is always going to be the right solution, and that includes encrypting emails, even if it means slightly less ad revenue in the short term. Hopefully, Google, Yahoo and others remember this simple fact.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: email, encryption, end to end, end to end encryption
Companies: yahoo

30 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

avideogameplayer, 17 Mar 2015 @ 4:14pm

Encryption doesn't mean shit if the NSA can just use their NSLs or just hack into any and all accounts...
[ link to this | view in chronology ]
- Anonymous Coward, 17 Mar 2015 @ 4:21pm
  
  Re:
  Not everyone's threat model includes USG.
  [ link to this | view in chronology ]
  - Max (profile), 17 Mar 2015 @ 4:35pm
    
    Re: Re:
    Well seeing as how 99.99% of ordinary people have NOBODY ELSE interested in their mail, what good any encryption is to them if it can't even keep out the one foe they know is snooping on them - the USG?!?
    [ link to this | view in chronology ]
  - Anonymous Coward, 17 Mar 2015 @ 8:59pm
    
    Re: Re:
    "Not everyone's threat model includes USG."
    
    My threat model includes everyone but the intended recipient.
    [ link to this | view in chronology ]
- Anonymous Coward, 17 Mar 2015 @ 5:09pm
  
  Re:
  Sure it does... it makes their job a lot more difficult. End-to-end means that only you and the recipient get to have the decryption key. So it doesn't matter how much data they snarf down, it will be useless unless they've got a *targeted* keylogger or other data exfiltration device on your system. They can't just "big data" this stuff, as the data would be way too big if they collected everything on all endpoints. So end-to-end forces them to behave the way they should be already.
  [ link to this | view in chronology ]
- Anonymous2, 17 Mar 2015 @ 5:30pm
  
  Re:
  Oh, yes it does. The problem is that we don't yet have an end-to-end encryption convention simple enough so everyone can use it by default.
  
  Google and Yahoo efforts really advance the situation by attempting a solution easy enough that everyone can put it in place. The 'easy for everyone to use by default' will mean it will not be bullet-proof. It doesn't have to be to put a stop to bulk privacy invasions into personal information. We need this default universal protection with as little delay as possible.
  
  Once universally in place, work can proceed to eventually reduce inevitable early vulnerabilities exposed to the sufficiently-determined and sufficiently-financed.
  [ link to this | view in chronology ]
  - Anonymous Coward, 17 Mar 2015 @ 9:09pm
    
    Re: Re:
    "The 'easy for everyone to use by default' will mean it will not be bullet-proof."
    
    Hmm, "security through insecurity". How very Orwellian.
    [ link to this | view in chronology ]
    - John Fenderson (profile), 18 Mar 2015 @ 7:52am
      
      Re: Re: Re:
      I don't think that's what he's saying. I think he's saying that some level of security is better than no security at all.
      
      Also, there's no such thing as "bulletproof" security anyway.
      [ link to this | view in chronology ]
      - Anonymous2, 18 Mar 2015 @ 9:34am
        
        Re: Re: Re: Re:
        Both points are correct.
        
        Right now, I have no email security beyond using a non-invasive email host, even though I would be willing to work to achieve it. The problem is that no one I communicate with would be willing or able to put in a similar effort.
        
        If a trivially-installed encryption framework can be worked out that can be incrementally improved, then we would reach the critical mass to make everyone's private communications more secure.
        
        Of course, many will not handle their private keys properly, and any communication with them could be hacked. But it would take an effort to do many such individual hackings, and people can learn to improve defenses over time if it can be done in small increments.
        
        Until that basic framework is in place, honest private email conversations will remain choked and guarded. Freedom of private speech is very difficult under such conditions.
        [ link to this | view in chronology ]
- That One Guy (profile), 17 Mar 2015 @ 8:16pm
  
  Re:
  The point isn't to make it impossible for the spy agencies, as if they really want access to your communications bad enough, they will find a way to do so. No, the point is to make them work for it, to make it more trouble than it's worth breaking the encryption when they have no idea if anything protected by it will be of any interest or use.
  
  Make it a big enough pain, and mass-spying suddenly becomes a lot less enticing to the voyeurs staffing those agencies, ideally either making them spend time and money cracking the encryption to people's communications, or not bothering at all and shifting their focus back on targeted investigations.
  [ link to this | view in chronology ]
- Paul, 19 Mar 2015 @ 6:50am
  
  Re: End-to-end encryption
  That's the point of end-to-end encryption, you have the keys in your possession, not on the providers servers. Even with NSL's, all the NSA will get is encrypted data from the provider...
  [ link to this | view in chronology ]
Anonymous Anonymous Coward, 17 Mar 2015 @ 4:23pm

Yet
At the same time they are providing a no password solution tied to phone numbers. One article I read suggested that some teen girls should be careful of letting their younger brothers (or parents) borrow the phone.

I might use the encryption if I felt there was a need (have to see how it works, like how does the recipient get the code?) but would NEVER use a cellphone number as a password (the fact that I no longer own a cellphone not withstanding).

I don't like passwords and keep hoping for a better (and secure (iris scans and finger prints don't seem like solutions as once the 'image' is made it is emanatly copy-able)) solution. I use PasswordManager (Bruce Schneier originated) and could not possibly tell you what my passwords are (with the exception of PasswordManager and two computer logins), the other two or three dozen are created by PasswordManager, and it does the typing for me. Without PasswordManager I could not log into my email accounts.
[ link to this | view in chronology ]
- Ninja (profile), 18 Mar 2015 @ 3:31am
  
  Re: Yet
  As far as I understood it's an app that generates passwords tied to the current date and time, much like Google auth. You could encrypt your phone with a key and further protect this password generator (that should be open for use with any service that requires random key generators so you can put everything in one place and secure that place accordingly). You still need to remember some passwords (two if you encrypt your phone and lock the app) but nothing more. Also, like Google auth, it seems connections are factored out.
  
  I'd argue that you could make things safer if there was a standalone device that would act solely as the key generator instead of bundling it with a computer (cellphone) but it's at least a start.
  [ link to this | view in chronology ]
Anonymous Coward, 17 Mar 2015 @ 4:33pm

I'll believe Yahoo Mail is secure, right after Hillary
starts using it.
[ link to this | view in chronology ]
Dan, 17 Mar 2015 @ 5:42pm

As long as it is compatible with GnuPG that we old folks still use with our quaint "mail client", then it's all good. In fact, I already use TBird+Enigmail on my my Yahoo email which I access via POP3.
[ link to this | view in chronology ]
Anonymous Coward, 18 Mar 2015 @ 3:14am

Nobody of value uses Yahoo -- and nobody should
Yahoo is one of the very worst-run operations on the Internet. The incompetence and negligence there is stunning in terms of both its pervasiveness and its longevity -- so much so that it's difficult to find superlatives that adequately cover it.

Yahoo is completely overrun with spammers and phishers. Yahoo has massive security holes -- it wouldn't surprise me if attackers have gained control of parts of their infrastructure. Yahoo not only doesn't act on mail sent from network peers to role accounts (e.g., postmaster, hostmaster, abuse, etc.) but responses -- if any -- are incoherent and illiterate. (I have a file full of them, including some that show their inability to look at mail headers and recognize their own users on their own systems on their own network.) Yahoo stupidly enabled DMARC a year ago, ostensibly to deal with forgery, thus breaking every mailing list on the Internet and doing NOTHING about the tens of millions of compromised accounts that send traffic dutifully marked by DMARC as authentic.

More briefly: Yahoo is a shithole of spam, abuse, phishing, kiddie porn, scams, hacks, and forgery -- and if it closed down tomorrow, this would be a huge benefit for the rest of the Internet. Yahoo could try to fix this of course but it apparently prefers to spend its money on $500M acquisitions rather than behaving as a responsible, professional, competent, ethical member of the community.

And Stamos? A shill. A mouthpiece. A front. No more. Why do you think he's blathering about this utterly worthless project rather than attacking the core problems? It's a PR stunt designed to distract attention and it's working.
[ link to this | view in chronology ]
- Ninja (profile), 18 Mar 2015 @ 3:44am
  
  Re: Nobody of value uses Yahoo -- and nobody should
  I can't dispute your assertions since I don't use Yahoo but honestly I seldom receive spam from Yahoo addresses. Amuzingly I get more spam from Gmail itself (my provider) than Yahoo or Microsoft. But even if you sum all three it doesn't even come close to 1% of the rest of the domains. I've built my custom filter with most of the offenders so today when I get spam it's only from newly compromised servers so it has been reduced to one or two spam mails a week.
  
  So my point is, do you have articles and sources that provide facts and proper explanations to your assertions? I'm not mocking you or anything, it's an honest question.
  [ link to this | view in chronology ]
  - Anonymous Coward, 18 Mar 2015 @ 4:16am
    
    Re: Re: Nobody of value uses Yahoo -- and nobody should
    I have an old Yahoo email address. After reading this news (right here on Techdirt), for the first time in many months, I went over to Yahoo and logged in. The user interface has been changed for the worse, is incredibly slow to the point of timeouts (running latest Firefox), and very spammy tasteless sponsored ads (stuff like supplements, dating sites, get-rich-quick schemes all with unblockeable images) are impossible to remove without signing up for the non-free service. I couldn't find any mention of any new features (such as encryption). In fact as soon as I saw the spammy unremoveable ads I backed out as quickly as possible (I have a ton of adblockers and script blockers, and it's been a while since I saw any ad but these were right in the email inbox). I don't want to go there again, my PC needs a wash, and the whole thing felt so sleazy that gmail is virginal and pure by comparison. Yuk.
    [ link to this | view in chronology ]
John Fenderson (profile), 18 Mar 2015 @ 7:50am

I wonder...
If Google, Yahoo and others don't do enough to protect their users' privacy, those users will go elsewhere, and then it won't matter whether or not the emails are encrypted, because they won't see them anyway.

It seems to me that people who are concerned about privacy already avoid using mail services that do contextual advertising, so I wonder how strong that effect would be.
[ link to this | view in chronology ]
Miss Brewer, 1 Feb 2016 @ 8:06pm

How to block porn sent from an encrypted email!!!!
How do you stop someone from sending you porn when they have encrypted there email.
[ link to this | view in chronology ]
den walker, 25 Jan 2017 @ 2:18am

Yahoo google time to time try to update security policies to secure their user's account, end to end encryption of emails data makes yahoo more secure and easy to access
[ link to this | view in chronology ]
Emailsuport, 14 Jun 2017 @ 4:48am

Google becomes a lot secure. But yahoo still need so many changes in email.
[ link to this | view in chronology ]
outlook support, 23 Aug 2017 @ 11:01pm

outlook services
Outlook is a website that helps to provide best services and also help to share any information through outlook accounts.<a href="https://outlooktechsupport.org/faqs/">Outlook Contact Number</a>
[ link to this | view in chronology ]
sanskaar, 10 Nov 2017 @ 12:50am

Sanskaar Kids Kingdom is a play gruop school
Our Pedagogy is researched and different form all other methodology. Sanskaar has developed Sanskaar Unique Method (SUM) .It is very much scientific, psychology and practical. We not work on learning but also on learning habits. SUM is based on Involvement of Dramaturgy in Education Application (IDEA). Realism, Simple to Complex and known to Unknown are key mantras of pedagogy.

http://www.sanskaarkidskingdom.com/
[ link to this | view in chronology ]
Yahoo email customer, 17 Dec 2017 @ 11:44pm

How to add Yahoo email account to Outlook
Add your Yahoo email account to outlook with the help of support team or some instructions. Or contact with Yahoo email customer support team.
[ link to this | view in chronology ]
angelicagrew, 27 Dec 2017 @ 1:14am

POP Access Settings and Instructions for Yahoo Mail
We have describe POP Access Settings and Instructions for Yahoo Mail on our website. Let’s visit here:-
[ link to this | view in chronology ]
rahul, 11 Mar 2018 @ 11:16pm

Indian Business Directory, Local Search Engine in India
We are among the top Local Search Engine Company India offering many packages which helps to support your website at the top on the Google pages. We, at India Internet present you with the very best web promotion services bringing your websites in top search results. We help you to get the traffic of your website.
[ link to this | view in chronology ]
Yahoo Support, 12 Mar 2018 @ 2:00am

Yahoo Support
Are you looking yahoo email password solutions. Now you can contact us we will help you recover your password.
[ link to this | view in chronology ]
sandra (profile), 9 Oct 2020 @ 3:21am

how to contact yahoo for help
awesome article thanks alot
[ link to this | view in chronology ]
sandra (profile), 9 Oct 2020 @ 3:23am

yahoo mail help
nice post
https://helpsyahoo.com/
[ link to this | view in chronology ]