Yahoo Mail to support end-to-end PGP encryption by 2015

Yahoo Mail is going to have an encryption option supplied by Google's End-to-End Chrome extension modified for Yahoo's service.

Yahoo is following in the footsteps of Google and plans to implement end-to-end encryption into Yahoo Mail by 2015. Like Google, Yahoo plans to use the OpenPGP encryption standard to encrypt messages. OpenPGP, which is the gold standard for email encryption, uses a public-private keypair scheme to protect user messages.

To get the encryption done, Yahoo will use a modified version of Google's alpha stage End-to-End Chrome extension. But Yahoo's version will be designed to work with the Yahoo Mail interface instead of Gmail.

Yahoo also plans on making encryption a native part of the Yahoo Mail mobile apps, according to a tweet by Alex Stamos, Yahoo's chief information security officer. Stamos announced Yahoo's email encryption plans during Black Hat USA, a security conference that ended on Thursday.

Further reading: The 10 most terrifying security nightmares revealed at the Black Hat and Def Con hacker conferences

As part of the encryption effort, Yahoo will create a new privacy engineering team to work on the project. The team's first hire was Yan Zhu, a staff technologist for the Electronic Frontier Foundation who worked on projects such as the HTTPS Everywhere and Privacy Badger add-ons. Zhu was also the person who recently discovered a security flaw in Wordpress login cookies.

Easing encryption

The news that yet another major webmail service wants to build encryption tools into its product is encouraging. But it's not clear how many people will actually want to use the new option.

While encryption and privacy are top of mind for many as the revelations from Edward Snowden and other whistleblowers continue to roll out. The problem is both Google and Yahoo must make encryption dead simple to use.

On top of that is the issue of key management. How will Yahoo help users with managing their keys while at the same time preventing the company from having access to them?

If Yahoo sticks everyone's keys on a company server, for example, Yahoo could be compelled to hand them over to law enforcement. One way around this is to require users to manage their keys themselves, which isn't very realistic for a mass market service--if you lose your private key, it is impossible to read your encrypted emails.

Alternatively, the company could employ a scheme similar to services like Lastpass, where user keys are on company servers, but the keys are encrypted on the user's PC before they arrive on company servers. That way Yahoo would only be handing over encrypted blobs that law enforcement would have to attempt to crack.

Each time someone signs on to Yahoo Mail from a new device, the company could push the encrypted keys down to the new device and decrypt them there. Similarly, messages in decrypted form would have to remain on the client device with Yahoo's servers prevented from reading them.

Managing key pairs and decrypted messages are important issues to tackle. But if Yahoo (and Google) get it right, the two companies could go a long way to helping make sensitive email more private.

[via  The Wall Street Journal]

Join the CSO newsletter!

Error: Please check your email address.

Tags GmailYahoosecurityencryption

More about Electronic Frontier FoundationWall StreetYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place