Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Encrypting Data In Wake of NSA Revelations

Posted by samzenpus on from the protect-ya-neck dept.

Nerval's Lobster writes "Following reports that the NSA aggressively targets Google and Yahoo servers for surveillance, Yahoo is working to encrypt much of the data flowing through its datacenters. 'As you know, there have been a number of reports over the last six months about the U.S. government secretly accessing user data without the knowledge of tech companies, including Yahoo,' Yahoo CEO Marissa Mayer wrote in a Nov. 18 blog posting. 'I want to reiterate what we have said in the past: Yahoo has never given access to our data centers to the NSA or to any other government agency.' In order to make Yahoo's systems more secure, she added, the company is introducing SSL (Secure Sockets Layer) encryption to Yahoo Mail with a 2048-bit key. That security measure will supposedly be in place by January 8, 2014. Beyond that, Yahoo plans on encrypting all information that moves between its datacenters by the end of the first quarter of 2014. Around that same time, the company will give users the option to encrypt all data flowing to and from Yahoo; it will also 'work closely with our international Mail partners to ensure that Yahoo co-branded Mail accounts are https-enabled,' Mayer wrote. (While it's not a crushing expense for massive companies such as Yahoo, introducing this sort of security does add to infrastructure and engineering costs, and takes time to actually put in place.)"

6 of 137 comments (clear)

  1. Which Encryption Scheme is Safest? Can we tell? by Press2ToContinue · · Score: 4, Interesting

    Not mentioned was which encryption schemes Yahoo is considering. Maybe it's simply HTTPS, but is that good enough? Are there other possibilities?

    Since the NSA has backdoored encryption schemes in the past, how can Yahoo determine if the scheme they implement is actually going to prevent the NSA from decrypting it? It's a serious question, and you can patly answer "you can't", but if I were responsible for implementing this scheme, this is the question I would pose to the team and require some sincere digging because it would be an even bigger embarrassment to implement the encryption, and then read another Snowden-esque revelation showing it was for nothing, and I was made a fool of.

    --
    Sent from my ENIAC
    1. Re:Which Encryption Scheme is Safest? Can we tell? by Shakrai · · Score: 5, Informative

      Not mentioned was which encryption schemes Yahoo is considering. Maybe it's simply HTTPS, but is that good enough

      HTTPS isn't an encryption scheme, it's a mechanism to establish a (theoretically) secure channel of communications. The actual ciphers to be used are negotiated between server and client, and can range from "You're kidding, right?" (RC4) to "The Federal Government claims it's good enough for Top Secret data." (AES-256)

      As with everything, there's a level of third party trust (the certificate authorities) or shoe-leather (exchanging keys in person) that's required regardless of the ciphers you end up using. That's a whole different discussion though.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    2. Re:Which Encryption Scheme is Safest? Can we tell? by Jeremiah+Cornelius · · Score: 4, Funny

      Yeah. SSL/TLS. That's just as effective against a determined state actor, with access to the telecommunication infrastructure, as a Kleenex Condom.

      "You don't need to see his papers. This is the certificate you are looking for..."

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    3. Re:Which Encryption Scheme is Safest? Can we tell? by Dahamma · · Score: 4, Informative

      IPSec is no more an encryption scheme than HTTPS. Both are protocols that use authentication and encryption schemes, they just work at different layers of the stack.

    4. Re:Which Encryption Scheme is Safest? Can we tell? by EdIII · · Score: 5, Insightful

      The issue is not whether they can brute force encryption.

      We already assume they have the capability of brute forcing all encryption within a reasonable time frame. Something hilariously well protected? 3-6 months.

      That being said, the NSA, still only has so many units of discrete work it can perform in a given period . Now, unless you are going to try to convince me that the NSA has computing power many orders beyond the total computing power of the entire planet, it means there is still safety in numbers.

      Mass. Surveillance.

      That's the real game. That's the real threat to privacy and freedom. If everyone makes sure that the NSA has to waste those work units decoding a pair of testicles you sent to your best friend, the NSA is still left with picking and choosing its battles .

      I'm okay with that. If the NSA really can break all of my communication and files within a week or two, but can only do it for several dozen Americans at a time during that period, we are all still protected as a whole. The NSA can still do its job. Yes, there was an original job they ostensibly are supposed to perform in my best interests.

      The sheer magnitude of what would need decryption for mass surveillance makes it illogical to worry about, IF WE ARE USING ENCRYPTION EVERYWHERE AND ZERO-KNOWLEDGE 3RD PARTY SERVICES. I can't stress that last part enough.

    5. Re:Which Encryption Scheme is Safest? Can we tell? by Fwipp · · Score: 5, Informative

      Yes, that is how encryption works. But if your key is large enough, the time & energy to brute force it will take much longer than your lifespan. As an example I just googled, brute-forcing AES-128 at 10 Petaflops would take 10 quintillion years (10^18). http://www.eetimes.com/document.asp?doc_id=1279619

      The _real_ concern is that the NSA knows of weaknesses in these encryption schemes, and doesn't have to brute force it.