Yahoo Encrypting Data In Wake of NSA Revelations

Nerval's Lobster writes "Following reports that the NSA aggressively targets Google and Yahoo servers for surveillance, Yahoo is working to encrypt much of the data flowing through its datacenters. 'As you know, there have been a number of reports over the last six months about the U.S. government secretly accessing user data without the knowledge of tech companies, including Yahoo,' Yahoo CEO Marissa Mayer wrote in a Nov. 18 blog posting. 'I want to reiterate what we have said in the past: Yahoo has never given access to our data centers to the NSA or to any other government agency.' In order to make Yahoo's systems more secure, she added, the company is introducing SSL (Secure Sockets Layer) encryption to Yahoo Mail with a 2048-bit key. That security measure will supposedly be in place by January 8, 2014. Beyond that, Yahoo plans on encrypting all information that moves between its datacenters by the end of the first quarter of 2014. Around that same time, the company will give users the option to encrypt all data flowing to and from Yahoo; it will also 'work closely with our international Mail partners to ensure that Yahoo co-branded Mail accounts are https-enabled,' Mayer wrote. (While it's not a crushing expense for massive companies such as Yahoo, introducing this sort of security does add to infrastructure and engineering costs, and takes time to actually put in place.)"

Which Encryption Scheme is Safest? Can we tell?

[Press2ToContinue]

Not mentioned was which encryption schemes Yahoo is considering. Maybe it's simply HTTPS, but is that good enough? Are there other possibilities?

Since the NSA has backdoored encryption schemes in the past, how can Yahoo determine if the scheme they implement is actually going to prevent the NSA from decrypting it? It's a serious question, and you can patly answer "you can't", but if I were responsible for implementing this scheme, this is the question I would pose to the team and require some sincere digging because it would be an even bigger embarrassment to implement the encryption, and then read another Snowden-esque revelation showing it was for nothing, and I was made a fool of.

Re:Which Encryption Scheme is Safest? Can we tell?

[DougOtto]

This protects them from a "man in the middle" how?

If the government has the keys it doesn't matter how many bits they use.

Re:Which Encryption Scheme is Safest? Can we tell?

[Shakrai]

Not mentioned was which encryption schemes Yahoo is considering. Maybe it's simply HTTPS, but is that good enough

HTTPS isn't an encryption scheme, it's a mechanism to establish a (theoretically) secure channel of communications. The actual ciphers to be used are negotiated between server and client, and can range from "You're kidding, right?" (RC4) to "The Federal Government claims it's good enough for Top Secret data." (AES-256)

As with everything, there's a level of third party trust (the certificate authorities) or shoe-leather (exchanging keys in person) that's required regardless of the ciphers you end up using. That's a whole different discussion though.

Re:Which Encryption Scheme is Safest? Can we tell?

[Jeremiah+Cornelius]

Yeah. SSL/TLS. That's just as effective against a determined state actor, with access to the telecommunication infrastructure, as a Kleenex Condom.

"You don't need to see his papers. This is the certificate you are looking for..."

Re:Which Encryption Scheme is Safest? Can we tell?

[Dahamma]

IPSec is no more an encryption scheme than HTTPS. Both are protocols that use authentication and encryption schemes, they just work at different layers of the stack.

Re:Which Encryption Scheme is Safest? Can we tell?

[MooseTick]

Will a Kleenex Condoms protect me from a man in the middle?

Re:Which Encryption Scheme is Safest? Can we tell?

[EdIII]

The issue is not whether they can brute force encryption.

We already assume they have the capability of brute forcing all encryption within a reasonable time frame. Something hilariously well protected? 3-6 months.

That being said, the NSA, still only has so many units of discrete work it can perform in a given period . Now, unless you are going to try to convince me that the NSA has computing power many orders beyond the total computing power of the entire planet, it means there is still safety in numbers.

Mass. Surveillance.

That's the real game. That's the real threat to privacy and freedom. If everyone makes sure that the NSA has to waste those work units decoding a pair of testicles you sent to your best friend, the NSA is still left with picking and choosing its battles .

I'm okay with that. If the NSA really can break all of my communication and files within a week or two, but can only do it for several dozen Americans at a time during that period, we are all still protected as a whole. The NSA can still do its job. Yes, there was an original job they ostensibly are supposed to perform in my best interests.

The sheer magnitude of what would need decryption for mass surveillance makes it illogical to worry about, IF WE ARE USING ENCRYPTION EVERYWHERE AND ZERO-KNOWLEDGE 3RD PARTY SERVICES. I can't stress that last part enough.

Re:Which Encryption Scheme is Safest? Can we tell?

[mlts]

Encryption schemes are important, but whenever someone mentions "let's encrypt it", I cringe.

Encryption isn't some magic switch that you turn on and all your data is 100% secure from bad guys. What happens is that it makes a smaller chunk of data (i.e. the key or keys) the valuable part.

Key management isn't a cookie-cutter thing. Error on security, and your data can't be recovered. Error on accessibility, and the bad guys now have your keys and can get your data.

A small company can get by with burning an archival CD-ROM, as well as printing out all keys (passwords especially, but .asc files of private keys as well [1]) A bigger company would have recovery info be split up among corporate officers in a "x out of y" structure (where 3 out of 5 officers are needed to regenerate the master key.) Even larger companies would have regional managers, and far more exotic key management layouts with multiple recovery paths.

If Yahoo decides to just "encrypt it", they need to put in a good key management structure in place... and of course, that will be the prime target for bad guys [2], so it has to be worth the security payoff of keeping the eggs in one basket.

[1]: Yes, it will be hell and a half to retype in, but it will be there. Having archival media on a CD helps with that, but if bit rot nails the CD, there is always the paper copy.

Oh, and don't try utilities which print bitmaps to paper like Paperbak. I've had great look in printing them out... but scanning them in and recovering any data... absolutely zero luck whatsoever, so don't bother with those utilities as of now.

[2]: The NSA is hyped, but one major threat are blackhats who would love access to Yahoo's assets for blackmail, DDoS, extortion, or to find other people to attack.

Re:Which Encryption Scheme is Safest? Can we tell?

[swb]

Most of the SANs I've seen support disk encryption and IPSec encryption between the SAN and the host or OS talking to it. If your OS writes encrypted data to storage (encrypted filesystem) as well, you have two layers of encryption on the platter and two layers of encryption in transit.

Of course that doesn't address weaknesses in ciphers or key exchange systems, but it seems like it would make it a lot harder to get at the data because the only place it is decrypted is during interprocess communication (decrypting from the filesystem and before re-encrypting it for final transit to client).

Not that this trivializes that risk, but it seems to make it a lot tougher.

Re:Which Encryption Scheme is Safest? Can we tell?

[Fwipp]

Yes, that is how encryption works. But if your key is large enough, the time & energy to brute force it will take much longer than your lifespan. As an example I just googled, brute-forcing AES-128 at 10 Petaflops would take 10 quintillion years (10^18). http://www.eetimes.com/document.asp?doc_id=1279619

The _real_ concern is that the NSA knows of weaknesses in these encryption schemes, and doesn't have to brute force it.

Re:Which Encryption Scheme is Safest? Can we tell?

[lgw]

No one is ever going to brute force a 256-bit symmetric key. Even if you imagine a matrioshka brain (turn the entire energy output of a star into computation) it would take longer than the age of the universe. A 128-bit symmetric key is safe from brute force vs all realistic threats.

If the math is flawed, OTOH, or your "random" key wasn't so random, it's easy (there is deep suspicion about the RNG built into Intel procs these days).

Re:Which Encryption Scheme is Safest? Can we tell?

[bobbied]

Since the NSA has backdoored encryption schemes in the past, how can Yahoo determine if the scheme they implement is actually going to prevent the NSA from decrypting it?

You have to understand that any key based encryption technique is breakable. It doesn't matter what key based technique you use, it can eventually be brute forced. All you can hope to do is make it take a very long time to decode, so long that the message becomes not worth the effort.

There are "unbreakable" techniques, but they all require a one use a random pad that both parties know, but never disclose or reuse. That's about the *only* way to make sure the NSA cannot decode your stuff. Good luck doing that Yahoo.

Re:Which Encryption Scheme is Safest? Can we tell?

[mlts]

It depends on where the "brains" are. Facebook (IIRC) has the redundancy on the backend app layer where coupled with NoSQL, if something drops... there is some redundancy built in somewhere to pick it off, or drop a couple tuples, but the tables still have their integrity. Whole servers can drop off the map, and Facebook will keep going. Isn't pretty, but their model really can handle stuff getting tossed here and there.

Apple, on the other hand, uses Teradata systems with NetApp appliances on the backend, so one large cloud provider does go with the more traditional storage stack model found in the enterprise. However, unlike losing a FB post or two, a user losing chunks of their data would not be a good thing, so Apple's model tends to be more rigidly ACID compliant.

Re:Which Encryption Scheme is Safest? Can we tell?

[fustakrakich]

As an example I just googled, brute-forcing AES-128 at 10 Petaflops would take 10 quintillion years (10^18).

Brute-forcing Yahoo's CIO at about 1 lash per second with a rubber hose won't even take 5 minutes. And a single National Security Letter will shut the whole thing down anyway.

Where's the beef?

Took them way too long

[kekx]

Well, actually it's quite embarrassing that they're only doing this now...

She's given me 1/2 of what I want to hear

[GodfatherofSoul]

Strongly worded without PR-crafted terminology. Now, have you given these entities private information without a warrant?

Does it even matter...

[nashv]

...if they can be forced to turn over encryption keys at the whim of some NSA/government authourity?

Yahoo can't even keep spam out of my inbox

[JoeyRox]

Whereas Google can. When I think cutting-edge technology and encryption Yahoo is the last company that comes to mind.

Re:Yahoo can't even keep spam out of my inbox

[Dahamma]

While I would have agreed with you two weeks ago, bizarrely, I have recently started getting a ton of spam in my Gmail account - really obvious stuff that should have been filtered. And Yahoo has been almost perfect filtering the same crap. Several people I have talked to have noticed the same thing. It's almost like someone at Google accidentally turned off the spam filter...

Really.

[BrookHarty]

Doesnt do any good, if the law enforcement organizations (etc), have a warrant they can record all traffic from your IP/Phone. Depends on the company, but at AT&T Wireless they could turn on full sniffing from a mobiles internet traffic and record all TCP/UDP and even overlay it with location based service (tower strength triangulation). My boss said they had a group to assist in warrants, but after I setup the servers and routers, I NEVER saw an email, name or department identified, and I worked there for years setting up hardware from old packet data to 3G routers before I left.

So anyways, they record the entire SSL handshake so they can decrypt the session. You too can even try it for yourself in wireshark.

And who knows what is going on at the AT&T datacenters in those secret rooms...

Useless (and an obvious deception)

[rmckeethen]

Let's be real about this -- if the N.S.A. wants data on any particular Yahoo user, or on all Yahoo users for that matter, it's not going to make one wit of difference if Yahoo encrypts its data or not. All the N.S.A. has to do is issue a national security letter, and Yahoo will cough-up whatever they got. Yahoo's encrypting the data on disk or in transit through their datacenters is little more than a pathetic attempt to lure customer's into believing that Yahoo is doing something to protect their data when, in fact, there's little Yahoo can do to prevent the N.S.A. for getting its hands on your data.

Re:Lol

[mrchaotica]

It's not that we think the NSA can brute force SSL; we think the NSA has compromised the certificate authorities.

Re:Lol

[dmbasso]

I just picked that comment because it said "thru [sic] ssl", and I interpreted as "breaking DH" or something. But I was referring to a somewhat spread sentiment that breaking encryption is just a matter of developing technique, which may not be the case (hence my sarcastic reference to the halting problem & Godel's incompleteness theorem).

Like this post above:

The issue is not whether they can brute force encryption.
We already assume they have the capability of brute forcing all encryption within a reasonable time frame. Something hilariously well protected? 3-6 months.

cop with a warrant

[globaljustin]

+1 Insightful on the "government has the keys" point...

here it is: law enforcement & NSA must have the ability to access anything, given proper rights & proceedures

no one can make successful counter-point...all arguments are arguments over ***under what conditions*** the LE/NSA can access the information

Yahoo is doing absolutely nothing other than PR 'damage control' by manipulating the facts with this news.

Yahoo will give up **anyone's** data as fast as humanly possible when asked by a legal authority and this news changes nothing about that.

the speed at which LE/NSA can access our data under legal order is simply a **question of IT engineering**