Today at Black Hat USA 2014, Yahoo's CISO announced in a presentation that consumers will be seeing end-to-end encryption in its Mail product by 2015.
Announcing a new PGP plugin that piggybacks off of Google's PGP plugin, Alex Stamos told the audience at his talk Building Safe Systems at Scale - Lessons from Six Months at Yahoo that this project has been a priority since he joined Yahoo Inc. six months ago.
Recruited for the project is (now former) EFF staff technologist Yan Zhu.
In the Thursday talk, Stamos told attendees that Yahoo is using the end-to-end encryption plugin that Google released a few months ago, with the plan of having both Yahoo Mail and Gmail able to exchange encrypted mail between the services seamlessly and easily.
The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.Read now
The move is a step in the right direction for security teams endeavoring to bring encryption to consumers, which faces challenges around ease of use for the ordinary user.
Encryption has followed security's traditional quandary of easy versus secure. Basically, if anything [in tech] is easy to use, lots of people will use it -- but security and simplicity seldom go hand-in-hand.
Stamos directly referenced the 'post-Snowden era' of consumer privacy and security as the impetus for his push at Yahoo to his Black Hat audience.
Post-Snowden, we have a strain of nihilism that’s keeping us from focusing on what’s real.
We as an industry have failed. We’ve failed to keep users safe.
If we can’t build systems that our users in the twenty-fifth percentile can use, we’re failing. And we are failing. We don’t build systems that normal people can use.
Stamos' talk was the best-liked and most talked about briefing at Black Hat USA Las Vegas 2014.
Our profession has never been so (potentially) impactful as it is today. @alexstamos #BHUSA— Chris Eng (@chriseng) August 7, 2014
.@alexstamos just announced plans to support end-to-end PGP encryption in Yahoo mail at Black Hat pic.twitter.com/9oCpGkzvX3— Yan! (@bcrypt) August 7, 2014
Alex wants bug bounty program with auto verification using Se scripts. Yahoo is building it. "Don't try to patent this." @alexstamos #BHUSA— Chris Eng (@chriseng) August 7, 2014
Watching @alexstamos killing it at #blackhat2014. Great analysis of security industry and the differences of life at scale.— Bob Lord (@boblord) August 7, 2014
Mr. Stamos has been tweeting tidbits about the announcement.
@tankredhase We have a fork of Google's plugin. Mobile app will have it native. @DrewHintz @bcrypt— Alex Stamos (@alexstamos) August 7, 2014
The move to encrypted mail brings Yahoo Mail into the forefront of user privacy in mail services among web giants, joining Google and Microsoft in the race to protect customers in the post-Snowden era of security.
Photo credit: Black Hat USA/UBM Tech, used with permission.