Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Offering Encrypted Email

Posted by CmdrTaco on from the screwing-with-carniore dept.

James Salsman writes "Now that Yahoo delivers encrypted email, I would sure like to know what the Slashdot fray thinks of that, especially in light of Carnivore's vulnerability to some forms of encryption (but not this one?)." michael adds: You might also want to check out Cyber-Rights.net, which is a UK civil liberties group offering encrypted email through a deal with Hushmail.

6 of 164 comments (clear)

  1. Re:Yahoo! Right? by bluGill · · Score: 5

    You forgot some critical steps if you want to be secure.

    Not only do you need open source, you need open source that you have personally understood every line of, compiled on a compilers that you wrote in binary youself.

    The last part, compiled on a compiler you wrote youself is very deep: a compromised compiler can destroy all advantage of open source. (See the infamious login hack, which you should look up) If the compiler isn't something you wrote in binary yourself, then you can't be sure that your compiler wasn't compromised. And you really should go deeper, since it is possibal (in theory) for someone to put a little prom in your disk/floppy drive that checks to see if a compiler is being written and compromise it, meaning you have to design your hardware from scratch and make it from silcon you mine yourself. (Note that recignising a hand written compiler and figgureing out how to compromise it might require solving the halting problem, so I don't know if it is possibla in the general case, but it is possibal if everyone works from one binary listing)

    It is worth it to be paranoid, but unfortunatly if everyone was paranoid enough nothing could get done because everyone has to invent their own wheel on up through everything civialization has done.

  2. Lokmail by Billy+Donahue · · Score: 5

    lokmail
    is the only webmail service that actually
    uses good old fashioned PGP encryption over
    an SSL link. I think promoting PGP use
    and not a new proprietary encryption system is
    a better way to fly. You can get a free
    PGP webmail account at lokmail right now.
    Ignore Yahoo.

    --
    -- The Funk, The Whole Funk, And Nothing But The Funk
  3. Re:Yahoo! Right? by locutus074 · · Score: 5
    (See the infamious login hack, which you should look up)
    Are you referring to this one, by chance?

    It certainly made me think the first time I read it. Highly recommended.

    --

    --

    --
    We have fought the AC's, and they have won.

  4. Oh Boy! by Electric+Angst · · Score: 5

    This is great! Now, the Feds won't be able to read the "private" e-mails I get from women who want to know if they'd make good porn stars, or want to invite me to watch the wild action at their party house, or the people offering me unaccredited University diplomas!
    Take that, Mr. Fed!
    --

    --
    Feminism is the wild notion that women are human beings.
  5. Re:Good by plover · · Score: 5
    The point is adding more encrypted traffic to a system tends to "hide" other encrypted traffic. It's also a good precedent to get other free e-mail hosts such as Hotmail to encrypt their mail, just to "keep up with the Joneses."

    Look at it math-wise: if 0.1% of the e-mail traffic today is encrypted (which I'm personally guessing would be way high,) if you were to send an encrypted letter to your buddy (whose ISP is being Carnivored,) it'd get noticed. Being only one message out of a thousand, it might even merit a few minutes on FBI's Deep Crack.

    Now, add in all the Yahoo e-mail traffic and that number might rise to 1.0%. Include encrypting lots of Hotmail traffic, and it might rise to 2.0% Pretty soon, there's too much traffic to Deep Crack every encrypted message that runs past. And eventually, once encrypted e-mails outnumber regular e-mails, seeing encrypted traffic go past a router won't even raise a flag.

    If you're actually concerned about security, of course you won't use Yahoo's service. Let the "commoners" think that they're getting security. But for now, they're providing background cover to help hide the mail that truly needs encryption.

    John

    --
    John
  6. Bad encryption is worse than no encryption!!! by rknop · · Score: 5

    ...because it gives the user a false sense of security.

    The actual encryption algorithm itself here may be fine; I don't know, I can't get the Securedelivery.com site to load. (Not a good sign.) But, as Bruce Schneider is fond of pointing out, it's not just the algorithm, but how it's used. Others here have already noted two problems: one, it's Yahoo's key, so you have to trust them to keep it secure. Two, the message already travels unencrypted to Yahoo, and even Yahoo agrees it's not end-to-end encryption.

    So what, you say. It's more encrypted than Yahoo mail was before, so why not use it? The danger is that the public, who, together with politicans, have demonstrated a startling ability not to understand technology and encryption issues, may start touting this as the solution. A real solution (to the technological aspects, anwyay) is to have end to end encryption, with open source tools that at least in principle can be verified to have no back doors, and with your own personal keys you make yourself. Naturally, this makes the folks who run Carnivore unhappy, becuase they can't just go to Yahoo and demand keys. So, probably having given up the battle to competely outlaw encryption, they stand to benefit greatly from systems such as Yahoo's. The public might potentially be convinced that this is as good as encrypting your mail yourself. Indeed, many seem to have trust in huge companies (as is evidenced by the fact that the FUD attacks against Linux ("who will you sue?") took so long to go away), and may think that having Yahoo do it all for you is better.

    I'd rather see it done right than implemented poorly in a way that might catch on.

    -Rob