Yahoo CISO: End-to-end Mail encryption by 2015

Yahoo CISO: End-to-end Mail encryption by 2015

Summary: At Black Hat USA 2014, Yahoo's CISO announced in a presentation that consumers will be seeing end-to-end encryption in its Mail product by 2015.

TOPICS: Security

Today at Black Hat USA 2014, Yahoo's CISO announced in a presentation that consumers will be seeing end-to-end encryption in its Mail product by 2015.

Announcing a new PGP plugin that piggybacks off of Google's PGP plugin, Alex Stamos told the audience at his talk Building Safe Systems at Scale - Lessons from Six Months at Yahoo that this project has been a priority since he joined Yahoo Inc. six months ago.

Recruited for the project is (now former) EFF staff technologist Yan Zhu.

In the Thursday talk, Stamos told attendees that Yahoo is using the end-to-end encryption plugin that Google released a few months ago, with the plan of having both Yahoo Mail and Gmail able to exchange encrypted mail between the services seamlessly and easily.

Special Feature

IT Security in the Snowden Era

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.

The move is a step in the right direction for security teams endeavoring to bring encryption to consumers, which faces challenges around ease of use for the ordinary user.

Encryption has followed security's traditional quandary of easy versus secure. Basically, if anything [in tech] is easy to use, lots of people will use it -- but security and simplicity seldom go hand-in-hand.

Stamos directly referenced the 'post-Snowden era' of consumer privacy and security as the impetus for his push at Yahoo to his Black Hat audience.

He said,

Post-Snowden, we have a strain of nihilism that’s keeping us from focusing on what’s real.

We as an industry have failed. We’ve failed to keep users safe.

If we can’t build systems that our users in the twenty-fifth percentile can use, we’re failing. And we are failing. We don’t build systems that normal people can use.

Stamos' talk was the best-liked and most talked about briefing at Black Hat USA Las Vegas 2014.

Mr. Stamos has been tweeting tidbits about the announcement.



The move to encrypted mail brings Yahoo Mail into the forefront of user privacy in mail services among web giants, joining Google and Microsoft in the race to protect customers in the post-Snowden era of security.

Photo credit: Black Hat USA/UBM Tech, used with permission.

See also:

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • isn't PGP illegal in US?

    The last time I checked PGP software was not allowed in US. Maybe it was too long ago though.
  • yahoo mail spam magnet

    good to see this but how about stopping yahoo mail being such a spam magnet???
  • iMUNIQE Key

    Today´s web-based communications systems are being systematically infiltrated both by government agencies and unofficially through web attacks. Web attacks might be carried out by hackers, but often these hackers are being hired by your competitors. Unfortunately, even though there are strict rules and regulations for government departments such as the US Department of Homeland Security or the UK Home Office, these can be easily bypassed by departments such as the National Security Agency, if they believe they have a need to access your information. The majority of cloud services use server capacity from platforms provided by Apple, Google or Amazon.

    The volume of personal and business content is constantly growing and is being transmitted and shared through cloud service platforms such as iCloud, OneCloud, Dropbox or Sharepoint. According to German law, any company that provides any kind of telecommunication services must give German law enforcement access to all data transmitted via their platform/server (§110 TKG). Your personal data communications will be decoded, read and then recoded. The result: your personal content is accessible to governmental departments and thus accessible to many companies and hackers and at risk of being leaked.

    In other words: every encryption system offered to individuals to date has been worthless.

    You need a offline Product like this...this is realy secure....

    partnering with /piggybacking off of google is not my idea of "safety" or security by any means, it is in fact quite the opposite. This guy is talking out of both sides of the mouths of many faces here. Who does he think is buying this as valid?!
  • Really??

    Fer cryin' out loud, Violet, would you mind just telling all us dummies out here what the heck this means for yahoo and gmail users? Examples:
    - Will it defeat NSA decrypt if intercepted?
    - Can Yahoo recover your email for a court ordered subpoena?

    Do I have to do your job for you???
    • Email protocol by default is not encrypted

      Basically this will encrypt the data for it's journey across the net and then decrypted at each endpoint for you to read. Better but you have to use your own encryption if you want it secure. After all, relying on google or yahoo to do it for you allows them to read and pass your data along. You need an open source product like Truecrypt to secure your files if they will pass over the net whether email, ftp, dropbox or anything else. You can zip something with a password
      • ??

        How do you know Google and/or Yahoo can decrypt your email???
  • I Still Don't Trust Free Online Services

    I created a mail account on yahoo a long time ago. I've never used it. I have never sent a single email from it. I never gave out the address to anyone. Yet this mailbox is always full. Google admits to reading not only every GMAIL that goes through their service but all documents that are uploaded on their other services (this includes electronic scanning and/or reading by humans). The lack of privacy in these environments is usually well-documented in the Terms of Service (ToS) and/or the Privacy Policies of the service. Since they claim the right to do anything they want with the information, this is supposed to relieve them of any legal ramifications.

    If these services are using this information for "advertising" purposes, that means they can freely give your information to third-parties, such as advertisers. The NSA, on the other hand, have way too much information and the likelihood of them actually doing something with the data is somewhat limited unless you communicate with a criminal element (terrorist). So, which is worse? I really don't know the answer. However, if these services are going to allow encryption, many questions need to be asked. For example, "How are these sites (Yahoo/Google) going to go about their main objective in the area of directing advertising to you if they can't read your mail? If the government (NSA, DHS, FBI, etc.) want to subpoena your email how will that work if it is end-to-end encrypted? In other words, who will hold onto the keys (public/private) and what bit-strength will be allowed?

    As someone else pointed out, PGP used to bit illegal at certain bit strengths (such as 1024-bit encryption) but that doesn't seem to be a concern to the government. Why is that? Maybe they have a way of extracting private keys and passphrases now? It makes me wonder.
    • PGP legality

      PGP has never been illegal to use at certain bit strengths. There were some legal issues with the first versions due to patent infringement. It's was also illegal to export to other countries, but it's never been illegal for citizens to use.

      As for how effective it wll be on Gmail and Yahoo, well, I have my doubts since people want convenience that means storing private keys in the cloud. Still, it's a step in the right direction I suppose.
  • ADK

    with PGP you can provide an Alternate Decryption Key
    if you wish

    but that is up to whoever is running the software.

    get Thunderbird with ENIGMAIL. no need to wait for Yahoo and Google this has been available for severla years.

    N.B. : as Phil Zimmerman warned us in his original essay on PGP: your operating system must be secured FIRST