Yahoo To Add PGP Encryption For Email

Bismillah (993337) writes Yahoo is working on an easy to use PGP interface for webmail, the company's chief information security officer Alex Stamos said at Black Hat 2014. This could lead to some interesting standoffs with governments and law enforcement wanting to read people's messages. From the article: "'We are working to design a key server architecture that allows for automatic discovery of public keys within Yahoo.com and other participating mail providers and to integrate encryption into the normal mail flow,' Stamos said."

Re:Metadata

[Scutter]

"Metadata" is a media buzzword designed to make you feel good about having your data monitored. They're still monitoring your conversations. Stop buying into their talking points. The headers of your e-mail are as much your data as the body of the e-mail.

Where is the private key stored?

[Henriok]

Where is the private key stored? These are web mail services and if that's going to be easy to use, the key must travel with the user, and how is that going to work securely? Or are they going to store people's private keys on their own servers? If so, wouldn't that almost completely defy the purpose? If intelligence agencies or more usual evil does have access to the mail servers, or user accounts wouldn't they also have pretty much access to the key store servers too? Could someone with more knowledge into how this might work please sort this out for me.

Re:Where is the private key stored?

[BaronM]

With any encryption scheme, key management is usually the biggest pain in the ass. No doubt, this is the biggest problem with implementing encryption for webmail.

Keeping my private key on a USB drive on my keychain could ALMOST work, in that on any desktop or laptop I could insert it to get to the key. For mobile, I think Yahoo will need to release a mail app that supports an easy & secure way to load your key.

Also - keying a passphrase on a moble device to open/sign/encrypt email will suck big time. This could be a great use for a fingerprint sensor on phones.

Re:Where is the private key stored?

[PPH]

PGP uses a public/private key pair. The way it should work: You generate a key pair locally and keep your private (decryption) key to yourself. You can then publish your public key, which other parties can use to encrypt messages to you. Key management would consist of some scheme where the mail service provider would 'sign' your public key to provide authentication and some easy to use public key lookup schemes so other people can securely recieve your key (protect against man-in-the-middle attacks) in order to prepare messages to you.

The problem with many popular web mail encryption services is that the private key generation and storage is in the hands of the mail service instead of distributed to individual users. So that puts it within the reach of a National Security Letter. Or a bunch of Russian hackers if the admin is less than competent.

Web based pgp encryption = no encryption

If you enter your message to be encrypted into a webpage, then unless you trust that webpage (yahoo in this case), you shouldn't trust any encryption method that's out of your control. Just use an open source mail client to contact the email server to send the encrypted message. Safe and secure (except for metadata that is).

Re:Oh, god

[sideslash]

Yahoo mail improved dramatically after Marissa Mayer became CEO. It seems to me that they are actually trying to be more like Gmail, and it shows in a positive way. They still fall short, but as a longtime Yahoo mail user I'll take what I can get. At least their recent improvements are much better than your characterization, for sure.

Awesome!!

[hymie!]

Now all I have to do is get my father, my mother, my sister, my half-sister, my grandmother, my wife, and my assorted friends to learn what PGP is and how to read the emails I send them.

Re:Awesome!!

[Pi1grim]

Mailservers don't talk PGP. Even being encrypted it's armored in base64 encoding and transmitted as plaintext. And mail client either knows what to do with it, or not. So, nope, no fallback possible, because you can never know if particular person is going to read it through a client that supports encyption or not. But if you have his\her public key, you might as well assume, that client does know ho decrypt it and if you don't - you can't encrypt it anyway.

And Google Cannot Follow

google is doing this (http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html)

Re:Oh, god

[roman_mir]

I disagree, didn't improve for me, ofcourse I run older Ubuntu and FF 16. The only saving grace is their smtp server and lets hope PGP is for that only or at least has the disable option. If they add it as a js file to online mail, I cant even imagine the horror show that will ensue.

Re:It's a TRAP!

Any proposal in which users hand over their private keys to a third party (such as a webmail provider) should be assumed to be done with the blessing of, or at the request of, law enforcement or intelligence agencies.

The third party (Yahoo) cannot prevent lawful intercept requests, subpoenas, etc from exposing any data they house as that data has been ruled to be not the property of the individual who supplied it.

A provider wanting to actually improve end-user security must intentionally attenuate any power they might have which grants anyone -- including themselves -- the ability to weaken the controls surrounding user data.

Re:Metadata

[just_another_sean]

It's not the postman reading it though is it? There is a difference between an employee of the post office reading an address to route mail properly vs. gathering all address, storing them and creating programs to discover all connections and relationships between addressees.

It's not that they read the meta data that's the problem, it's what they do with it.

Re:Great

[KermodeBear]

This kind of functionality would be enough for me to switch mail providers.

Yes, yes, it can always be done manually, but I have a lot of friends that aren't as tech savvy as I am. Generating a key, keeping the private one somewhere safe, copying text from the PGP application, pasting it correctly, copying incoming text, pasting, decrypting, etc., etc., it's all a pain in the butt for the typical computer user.

If Yahoo can manage to implement this correctly so that it is safe AND easy to use that's a big deal.

PGP Is the easy part. Key mgmt is hard

[cpuh0g]

Implementing PGP with (yet another) public key database is easy enough to do. The biggest issue will be the management and protection of the private keys needed to sign and decrypt incoming messages. If Yahoo ends up holding the private keys, then it's completely untrustworthy and useless.

Also, why do they want to create another public key DB? Keybase.io is very nice, and the existing PGP.net servers have a huge existing database of public keys, though it is nearly impossible to delete a key once its published.

Re:It's a TRAP!

[jep77]

Any proposal in which users hand over their private keys to a third party (such as a webmail provider) should be assumed to be done with the blessing of, or at the request of, law enforcement or intelligence agencies

Where did it say in there that users would hand over private keys to a third party?

Re: It's a TRAP!

[IMightB]

I dunno I worked for a large scale email company for almost a decade... They basically persused every possible encryption method possible except for pgp. Mainly for business reasons.. For instance if an employee ever left the company, the private key basically went with them so if emails were encrypted. All of it would be effectively lost to the city company.

This lead to developments efforts to hat would basically give lip service to encryption but little real security...

While a lot depends on what implementation details they come up with, yahoo seriously perusing PGP is probably a good thing.

Even if done badly, might do some good?

[Aaden42]

Key management’s the thing here of course. If it’s on their server, NSA has it, etc. There are ways the key could be encrypted on server, decrypted only locally etc. Most of those have myriad ways the key could be mis-handled, leaked, etc.

That said, I’m kind of leaning towards this being a good thing, even if its implementation isn’t 100% paranoid geek approved secure. Ultimately if the NSA wants to read YOUR stuff, they’re going to (see: $5 wrench). If we assume Yahoo manages to implement this such that key retrieval is at least inconvenient (for $ufficiently large value$ of inconvenient) to anyone other than the account owner, then it should at least complicate NSA’s blanket “read all the things” approach. If it tips the balance back to the point that they actually have to expend more resources than your grandmother’s chocolate chip cookie recipe is really worth, then *maybe* they go back to only reading very interesting people’s emails without a warrant rather than reading everybody’s. I guess that’s worth half a point?

More importantly, if it manages to turn the seething mob of luddite Yahell users onto the fact that encryption is a thing, and explains to them why they want this thing, maybe the “winning hearts and minds” gambit is worth something to the world as a whole, even if the individuals’ email isn’t NSA-proof. Right now most mothers & grandmothers either have no clue what encryption is, or think it’s something only used by hackers, ter’ists, pr0n, criminals, etc. “Them” in other words. If Yahoo manages to convince a sizable portion of the voting public that privacy has worth, and encryption is a way to ensure that privacy, I think that’s a worthy outcome even if the encryption has flaws. Maybe that opens the door to conversations about the difference between effective and ineffective encryption. Maybe it even brings it closer to socially “normal” for someone who knows what effective encryption is to encourage others to use it without being assumed to be a nutcase or worse.

I hate to advocate selling snake oil, but there *are* an awful lot of squeaky snakes around. Maybe the right salesman can convince enough of the populace they need encryption, then we can worry about offering really good encryption for those adequately equipped to work with it.

Re:And Google Cannot Follow

[2fuf]

Well, they would of course have access to the content before it's encrypted. I don't trust someone else to perform the encryption for me, even on the client side, after everything that happened. But then, even your own OS, all the software that's on your machine, there are sooo many parties involved with so many affiliations, objectives, incentives. If it's not NSA that's peeking through your SSL connection, then it's probably China that bought off your antivirus manufacturer or a Russian hacker who injected something vile in an open source library that covers 90% of the internet connected world or someone we haven't even heard of who hardwired all keyboards straight from in the manufacturing plant to phone home your input. Hell, they could even be peeking through the window.

If they want to read it, they will. If you desperately want to avoid it, don't use Yahoo of GMail in the first place, not even with "encryption". I'm cynical enough to think this will not prevent them from reading your content, Yahoo will have a similar gain by accessing your content (why would they start the service in the first place) and they don't seem to mind.

Mailvelope etc.

The Mailvelope Plugin - https://www.mailvelope.com - already does that: encrypt webmails a la Gmail, Yahoo, Hotmail or your own Roundcube etc.. It does so in-browser, obviously. Still basic in functionality but works for simply sending messages back and forth. Clear-signing, though available, tends to get screwed up due to message wrapping on the receiving end.

You may also find https://encrypt.to a very cool thing. Essentially a simple contact form, that encrypts the message with GPG and sends it on to the actual mail account. That way, a user who does not use PGP can send failry secure mails to a GPG-user. A simple vanity-style URL can be given to such users for easy access to the input form. The scripts are freely available and can be used on your own webserver under your control. This idea may significantly help in overcoming the chicken/egg problem we are having in regards to PGP use!

As far as webmail with PGP goes, Startmail is already doing that. You create the keys in their interface (yes, I know!) and the use is very straight-forward. You can also communicate with outisde user who do not have PGP. They will get an SSL-link and access it via a previously agreed-upon passphrase. Their reply to the Startmail user from there will also get PGP-encrypted on Startmail's server and put into the Startmail user's mailbox.
While this setup is, for purists, far from ideal, it could help get normal people to use PGP. If you don't like it, stop bitching, and help make PGP easier to use the 'proper way'! ;-)

Re:Great

[hawguy]

I'm curious how this could decrease revenue though, because automated scanning is is where the adds come from, and your key would only be as long as effective as a pass-phrase (I assume cloud stored password protected key, with local javascript to unlock the key, and something stored on the local computer to cache the key so the pass-phrase doesn't need to be used constant).

The problem with a cloud stored key that's unlocked by JavaScript with a passphrase is that when the government wants your passphrase they'll either tell Yahoo to silently replace your JavaScript module with one that does keylogging of your passphrase, or they'll take over Yahoo's SSL certificate and inject keylogging JavaScript of their own.

Why not S/MIME?

[Arkham]

Instead of PGP they should use S/MIME. It's functionally the same but is far more widely supported. It's even included in the Exchange ActiveSync protocol via ResolveRecipients to retrieve the public keys of other users. I don't dislike PGP/GPG, but if it were me I'd go with a more standard envelope.

Re:Why not S/MIME?

[mlts]

S/MIME is better than nothing. I use it often because of exactly the fact that it is part of most MUAs, and it takes zero effort on the recipient's side for a signature to be validated.

However, S/MIME is just like SSL/TLS, being one bad CA away from being useless, while PGP's web of trust system is far more robust and can handle a bad key introducer fairly easily.

If we can get people used to making webs of trust, especially if Yahoo made some type of utility for this, it would go far with security.

Re:Great

[mlts]

I'm reminded of one encrypted E-mail provider in this regard. They did nothing wrong, but were given the choice between having people face jail time or hand over data (because if one views E-mail on the server rather than a Java client, the server has the ability to decrypt it.)

I still use them, but I have concerns about tying the endpoint encryption/decryption to the mail provider. As stated above, it wouldn't take much to force Yahoo to push an update to the one "user of interest" that would either retain the decrypted E-mail or upload the key.

What Yahoo -can- do is make key exchange and key management easier, with keyserver functionality. That way, Alice can sign Bob's key for Charlie, upload it to Yahoo's keyserver, then Charlie will have a good chance that the key purported to be Bob's is actually the right one. Making a web of trust easier for people is something that is desperately needed.

Re:And Google Cannot Follow

[mlts]

There are always ways to ensure data is encrypted and stays encrypted. The simplest is to have an offline computer with a SD card slot, and read/sign sensitive stuff on that machine. Of course, this isn't 100%, but it forces someone to have "boots on the ground" in order to obtain data.

One can get fancy with an offline setup (only boots from a "trusted" USB flash drive only on a keychain, then requires a long passphrase to mount /home, etc), but the idea is to have an air gap, which will block 99.999% of the attacks out there and force an adversary to have to have a physical presence.

Even if one doesn't do that, just having using S/MIME is a big step up from what we have now.

Re:It's a TRAP!

[petermgreen]

It didn't but yahoo is a webmail provider and webmail kinda implies that the provider will either be storing the key or at the very least be able to access it by tweaking some javascript a litte.

The reason PGP is difficult for the plebs is that secure encryption requires you to take responsibility for your own key management and ensure to the best of your ability that the key does not leave devices you control (if you are really paranoid you don't even put it on an internet connected machine). If you leave key management up to a third party then your whole security becomes dependent on them.

Re:Great

[Bender0x7D1]

It absolutely does not matter who has your PUBLIC key. The entire point is for the entire world to have it. Now, the PRIVATE key - that you need to keep to yourself, and as secure as possible.

Note: I say "as secure as possible" because, at some point you are trusting an underlying layer to be doing their job correctly - be it browser, email client, PGP application, OS, or that rootkit that got installed.

Re:It's a TRAP!

[Sloppy]

Where did it say in there that users would hand over private keys to a third party?

It's implied by the fact that it's webmail. Does your browser have an OpenPGP library? Does it check all the Javascript that it downloads and executes, against some repository's whitelist? You have to assume the key isn't handled safely, unless you can answer Yes to these questions. And a lot of webmail users expect the server to be able to search and that's obviously impossible unless the server can read, so it's not like the unsafeness stems just from potential trickery.

That said, the more interesting question is what social effect this might have. Even "bad" use of OpenPGP could start conditioning more people to being familiar with, tolerating, expecting PGP. Get into a better frame of mind, and better habits can come later. And with good habits, some security could eventually emerge. The security wouldn't be there for Yahoo webmail users, and yet some users might end up having Yahoo webmail to thank for it.

And let's face it, the barriers to secure communication are almost entirely social; we choose to have insecure communications. Anyone who is working on that problem is working on The Problem.

Re: It's a TRAP!

[petermgreen]

You know what ADK is? A back door. So, either they're encrypting it twice (once with your key, once with the other), or they've poked holes in the encryption and it is complete garbage.

The usual way to do multi-recpiant encryptions is you encyrpt the message with a freshly generated symmetric session key. Then you encrypt the sesssion key multiple times with the recipiants public keys.

but it assumes you have 100% explicit trust in the agent who has the ADK

Indeed it does, in security there is always a balance between keeping prying eyes out and keeping records available to those with legitimate reason to access them.

Re:It's a TRAP!

[Steve+B]

webmail kinda implies that the provider will either be storing the key or at the very least be able to access it

Obviously they need access to the PUBLIC keys in order to encrypt messages to the designated recipient. The whole point of public-key cryptography is that revealing the public key doesn't compromise security.

Re:It's a TRAP!

[petermgreen]

The problem is not so much sending encrypted mail. The problem is sending signed mail or receiving encrypted mail. In those cases you need to provide your private key to the mail software.

If the mail software is running on a third party server then that means handing your private key over to them. If the mail software is javascript in a browser then the javascript could be written to keep the private key in the browser but there is a significant risk of the javascript being quietly substituted.

Re:We need a Thunderbird interface to it too

[SpzToid]

Like this? https://addons.mozilla.org/en-...

no private key to SEND GPG. End bulk collection

[raymorris]

There are two ways this can work well.

Yahoo, or any other email provider, doesn't need access to the private key to SEND encrypted email. Someone who wishes to receive encrypted email publishes their PUBLIC key. The message is encrypted with the public key. Yahoo can automatically check popular key servers and if the recipient publishes a private key, offer a one-click option to encrypt the email. Because the recipient publishes a key, that pretty much advertises that they know how to read a message sent with their key. They don't need Yahoo's help on the receiving side. So sending encrypted email is no problem. There are some details to get right, but no fundamental problem.

Now let's consider reading encrypted email via webmail. It has been pointed out that the obvious implementation would be to use JavaScript to do the decryption. Maybe the Yahoo team will come up with something more clever, but let's assume they don't. In that case, it's been pointed out that Yahoo could replace the encryption JavaScript for targeted users, at specific times. That's true until someone releases a browser plug-in that checks the hash of the script, but there is still a big gain. Until then, Yahoo could be ordered to intercept SPECIFIC, TARGETED users. As opposed to today, when Yahoo can be ordered to provide a tap for NSA to collect ALL emails. Getting rid of that bulk collection capability is a big win.

Note that if the FISA court did order Yahoo to switch out the JavaScript, the likelihood that would be detected would be proportional to how often they did it. If they did it once, they'd almost surely get away with it. If they did it all the time, they'd almost surely be caught. So they'd want to use it rarely, saving it for high value targets in order to keep it secret. That's actually exactly what I WANT for a widely deployed technology. The ideal, I think, would be that the technical details are such so that the government can't read everyone's email, but in special cases a proper court can authorize reading Osama bin Laden's email and the technology allows that to happen only rarely. So this actually comes pretty close to the ideal, assuming that NSA wants to keep the Yahoo hack secret and therefore rarely uses it.

Re:It's a TRAP!

[Arancaytar]

It didn't but yahoo is a webmail provider and webmail kinda implies that the provider will either be storing the key or at the very least be able to access it by tweaking some javascript a litte.

Not necessarily. Securely handling keys is indeed impossible for untrusted Javascript, but it should be feasible to provide a browser add-on (analogous to Enigmail for Thunderbird) with a key management UI and PGP bindings for Javascript. As long as that add-on is open-source and vetted by browser vendors, you don't need to trust Yahoo's web page (let alone their server) with your private key.

Ideally, this would be a core part of Firefox / Chrome, or at least a unified add-on, but in practice Yahoo!, Gmail and others would probably insist on making their own.

However, a general-purpose add-on could potentially allow encrypting/signing the content of any text field in a page, so it wouldn't depend on the email provider's support.

Re:It's a TRAP!

[cdwiegand]

Indeed, this. Although I can think of no way to securely do PGP in a web interface (as even a browser plugin, suggested by an earlier poster, is vulnerable to the NSA et al going to Google, Firefox and Microsoft and demanding they implement a shim allowing them access to the innards of the browser memory), even fake security does raise exposure to encryption, and systems not compliant or that munge the encryption will be fixed to not mess up the emails. This is good, and then we, as the open source community, can work on creating truly secure systems / interfaces.

The private key would have to be handled locally

[davidwr]

Hushmail did some stuff client-side. In order to be immune from government interference, Yahoo webmail would have to be similar.

To be trusted for receiving mail, they would need to release an open-source web plugin or local application that hooked into the web browser to do the decrypting client-side, OR have encrypted message be downloadable but not directly readable within the web browser.

Bonus points if the client-side software is developed by a well-respected known-to-value-freedom 3rd party using a standardized API.

USB can't be trusted either

[davidwr]

You can't trust USB devices these days either.

How about an offline machine that encrypts and prints the encrypted email either as text or as an easy-to-scan graphic and a scanner on the sending computer to scan it in as a graphic, mail the graphic to the recipient, and let him do the de-rasterizing and decrypting?

For receiving mail, have a 3rd computer that is air-gapped from the other two that has a scanner attached to it.

Yeah, it's hard, and yeah, it paints a target on your back about as much as using TOR would, but it would be immune from the "poisoned USB port" attack.

Private keys are probably kept client-side...

[steppin_razor_LA]

"Does your browser have an OpenPGP library?"

It looks like it will soon:

http://googleonlinesecurity.bl...

Re:It's a TRAP!

[MichaelSmith]

Any proposal in which users hand over their private keys to a third party (such as a webmail provider) should be assumed to be done with the blessing of, or at the request of, law enforcement or intelligence agencies

Where did it say in there that users would hand over private keys to a third party?

At best they would give the keys to software provided by Yahoo and running in their browser. Law enforcement could compel Yahoo to provide a backdoor to that software or they could compromise the encryption in the browser. Unlike java, javascript has nothing to stop code from a different source interfering with other code running in the browser.

Re:Great

[thegarbz]

If Yahoo can manage to implement this correctly so that it is safe AND easy to use that's a big deal.

Except they can't. Yahoo Mail is webmail which leaves you with two options:

1. They have the keys. In what way is this any better than simply using SSL between mail servers? If you don't manually provide the key or manage your own key then it implies that Yahoo is holding your private key, otherwise webmail wouldn't work.

2. You have the keys, and we're back to complicated key management by end users, manually uploading them when you fire up your browser session, etc.

Public key cryptography is not something that can be fixed by companies.