Slashdot Mirror
Yahoo Debuts End-To-End Encryption Email Plugin, Password-Free Logins
An anonymous reader writes: Yahoo has released the source code for a plugin that will enable end-to-end encryption for their email service. They're soliciting feedback from the security community to make sure it's built properly. They plan to roll it out to users by the end of the year.
Yahoo also demonstrated a new authentication system that doesn't use permanent passwords. Instead, they allow you to associate your Yahoo account with your phone, and text you a code on demand any time you need to log in. It's basically just the second step of traditional two-step authentication by itself. But Yahoo says they think it's "the first step to eliminating passwords."
Yahoo also demonstrated a new authentication system that doesn't use permanent passwords. Instead, they allow you to associate your Yahoo account with your phone, and text you a code on demand any time you need to log in. It's basically just the second step of traditional two-step authentication by itself. But Yahoo says they think it's "the first step to eliminating passwords."
I hope that if the recipient gets an encrypted email, it shoves the plugin down their throat. Maybe that way people will start adopting encryption.
How secure is it? How hard is it difficult to clone SIM cards of people? Is there a chance the text can go to the wrong phone?
Maybe they should limit what can be accessed when not using the password. Read/Compose only. Maybe delete, but not empty the trash.
You know, I would love it if providers such as Yahoo! Mail were to offer an option to archive all e-mail, as a form of backup. You know, in a handy zip file consisting of either email file types or text file types.
I don't. I tried to sign up with Yahoo a few weeks ago and got cockblocked by this. They required a mobile number.
Now anyone who finds it has access to my account because there is no passphrase? Gooby Pls!
No, you're just sending them a 2nd factor password authenticator. It's still a fucking password. Your users are just too simple to remember it perhaps.
## Sometime in the future
Yahoo! is bought out by MS and email switched to MS' mail. Yahoo! Mail is shuttered.
End to end encryption with sending the code over an unsecure SMS so that the NSA can decrypt it anyway.
Nice.
Yahoo needs to understand that the purpose of 2-factor authentication was not to replace passwords, but rather to ... provide a second factor of authentication.
Remember ideally:
1. Something you know
2. Something you have
3. Something you are
Each is no more secure than the other, but together they form a far stronger system than any individual component.
Great, so now the latest XSS attack will have more efficient access to my yahoo email than I do. This looks like more of a play to limit the (free) service to users with money to spend, while being better positioned to track their spending preferences.
* Full disclosure, I haven't used my yahoo email in years.
I do not like the phone identification. What If I want to change the phone? Do I just have to change the phone from all the places I use to identify myself with the phone.
Or what If my phone diez for whatever reason?
I really do not like the idea.
Its still in America so its subject to NSL, patriot act and all those other "freedom" laws they have. American crypto just cant be trusted, fundamentally flawed by law.
Is that right? I assumed that US law was like UK law - there is no law against using strong encryption but you can be compelled to give the encryption keys to the security services.
I wonder how many people access yahoo mail on their phone, in effect reducing the protection to 1-factor authentication again? I know people who have Paypal accounts accessed on the smart phone with passwords remembered - and use SMS to the same phone as authentication!
you can be compelled to give the encryption keys to the security services
In America, there would be a strong argument that this is in contravention of the Fifth Amendment of the consitution (as it would be self-incrimination). Not sure how that's played out though.
But yes, in the UK, there is a specific criminal offense of "Not disclosing your encryption key" which carries a 2 year sentence... and you can of course, be asked to disclose your key again once you've served it...
..or is is this even more annoying since it rotates the code every time you try to authenticate?
What if your phone is dead/stolen and you desperately need to get a message out? You're fucked.
NOTE: They just killed Yahoo! Profiles. In short, they are collecting data for themselves while making it harder and harder for Yahoo! users to search each other out.
*** Don't be dull.***
PGP doesn't protect metadata.
SQRL completely eliminates the need for passwords https://www.grc.com/sqrl/sqrl....
you can be compelled to give the encryption keys to the security services
In America, there would be a strong argument that this is in contravention of the Fifth Amendment of the consitution (as it would be self-incrimination). Not sure how that's played out though.
But yes, in the UK, there is a specific criminal offense of "Not disclosing your encryption key" which carries a 2 year sentence... and you can of course, be asked to disclose your key again once you've served it...
I think that you would have a good chance of arguing that being asked again after serving a sentence would be attempting to try the same offence again, for which a sentence had already been server. Of course you never know which way courts will go though.
Why?
Not everyone has a phone, but they may have email by going to a library to read and send it.
Not everyone who has a phone has a smartphone with texting capability. They have a phone just for emergencies.
Not everyone wants yahoo to track you by knowing your phone number. They already track by gps and ISP geolocation now.
I guess alot of people won't be able to log in if this happens. I currently just ignore their constant prompts for the phone number.
Finally there is a way for the NSA to easily link your Yahoo email address and your mobile phone number.
Just make sure to constantly use your GPS on your phone, you'll be safer that way.
Remember, if yahoo cannot sell your data, if the NSA cannot read your email the terrorists win.
It's not trying the same offense again, if you refuse to hand over the key a second time.
If you get released from prison after serving your sentence for bank robbery, you can still be sentenced again if you rob another bank.
> "Not disclosing your encryption key"
Which, given the existence of steganography, means... anyone which the government wants to be a criminal, is one.
How convenient.
You are not constantly sending my text messages every time I want to log in. It annoys me enough to deal with this the first time I authenticate a machine with Gmail but at least that is just one time.
I bet Hilary Clinton wishes this was an option for her "private" email account.
I checked out the link, there was no mention of what kind of encryption they will be implementing. Most likely one that was already compromised by NSA? And they basically want to cram this one down our throats before a less NSA-friendly protocol takes hold.
Also as for dropping the password requirement, we are 1 step closer to losing anonymity on the Internet (It never really was anonymous). But when you tie-in services with something like a phone number and/or address, it gives the powers to be a way to punish you for misbehaving online (because for most of us, changing phone numbers/address is no trivial task).
Yahoo, Google and others keep asking me for my mobile phone number. I have none. A lot of people don't have cell phones and even more don't have smartphones. A lot of the country, a lot of the world does not have cellular coverage.
While my Mobile Phone has a lock screen, text messages are briefly displayed in it even in lock mode. Which means anyone who has my phone can briefly see the plain-text 'code' that Yahoo will text that number, even if the mobile device itself is locked for normal use. So (setting aside the legitimate issue that I may not have cell coverage all the time), it would seem rather easy to bypass the security mechanism here, because Yahoo is essentially putting my reset code out to an unsecured endpoint in a publicly visible manner.
As SMS are far than secure, they just transmit the key access to your emails as readable by [nsa]body.
-- Laurent Pointal
Yahoo also demonstrated a new authentication system that doesn't use permanent passwords. Instead, they allow you to associate your Yahoo account with your phone, and text you a code on demand any time you need to log in. It's basically just the second step of traditional two-step authentication by itself. But Yahoo says they think it's "the first step to eliminating passwords."
Takes security out of the users hands and gives it to yahoo. Bad idea.
Is that right? I assumed that US law was like UK law - there is no law against using strong encryption but you can be compelled to give the encryption keys to the security services.
You always have the right to remain silent. You cannot be compelled to give testimony, although they might try to slap you with an obstruction of justice rap.
Admit nothing. Deny Everything. Make Counter-accusations.
Oh no, my phone is dead/stolen! Better email people and tell them not to phone me and I'll be reachable by email.
Just need to log into my email and ... ... shit...
It's the slowest, most annoying one out there. And, please, do NOT ever again add snowflakes in Christmas - it only makes it even slower and more annoying. And it reveals that Yahoo has a provincial mindset: A large percentage of the connected world has no snow in Christmas.
What will people using traditional email clients on their desktop/laptop computers and pocket computers (aka smart phones) do when passwords are obsolete? IMAP clients have the IDLE feature to be notified when new email arrives so they can alert you. Will they only need 2 factor authentication only when establishing the connection? Or maybe they will never support 2 factor authentication, only the webmail client will.
What about using OTR for sending the text message with a password? I hate the idea of any text message being sent/received without OTR. Might as well post your password on Facebook
This has nothing to do with privacy or encryption. It is merely a way to absolutely correlate your online identity with your actual identity. Removing any hope of anonymity you might have once had.
While my Mobile Phone has a lock screen, text messages are briefly displayed in it even in lock mode. Which means anyone who has my phone can briefly see the plain-text 'code' that Yahoo will text that number, even if the mobile device itself is locked for normal use. So (setting aside the legitimate issue that I may not have cell coverage all the time), it would seem rather easy to bypass the security mechanism here, because Yahoo is essentially putting my reset code out to an unsecured endpoint in a publicly visible manner.
Settings | Sound and notifications | When device is locked | Don't show notifications at all. Problem solved, at least on Android :-)
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
In the US, when the judge orders it and you don't comply, it's contempt of court. He'll have you thrown in jail until such time as you agree to unlock your phone.
There's a case going through Canadian courts where someone refused. We'll let you know what happens, if anything, because apparently this was the first time that a Canadian has refused to let Canada Border Services (CBS) look at their phone and CBS decided to make an issue of it.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
I don't think the suggestion was relating to what the US government can compel from users of Yahoo's service, but rather that they could compel Yahoo to provide the government access to that user's emails while simultaneously compelling Yahoo to deceive the user about having done so. The notion is that Yahoo could show the world source code and intend to use it, but when it came time to actually put it into use, the government could come and force Yahoo to use different code, written by the government, while also forcing Yahoo to lie to the world, claiming that it's using the code it had originally intended to use. Five years ago this might sound like a bizarre conspiracy theory, but now it seems much less like a question of whether the government would try than a question of how successful the government might be at forcing all the Yahoo employees who would have to know about the lie to keep it secret.
... privacy.
No phone number, no yahoo or google account for you. Because ... the NSA wants to know you.
Please...serious answers only...I don't care if you hate/love Apple or Android.
But, what is the likelyhood of the following:
1) Malware running on your non-jailbroken iPhone?
2) Malicious scripts running in the browser talking to other apps on the device?
3) Potential for your SMS traffic to be intercepted on a non-jailbroken iPhone?
4) Ability of an app to access SMS traffic on an iPhone?
Now, apply the same questions as they apply to latest incarnation Android?
My understanding is that sandboxed nature of iOS would/should prevent malicious apps from being run (assuming, you don't download one from the store or have allowed someone to physically compromise your device). iOS does not allow one access to received SMS traffic (unlike, Android). This means a user would have to manually enter the received token. To gain access to pushed traffic, something like APNS (on iOS) or GNS (Android) might be a better solution. Dumb phones can use SMS.
I would not suggest accessing your email from the same device as your token receiver, but can iOS' sandbox architecture provide enough of a firewall?
Are there exploits in the wild for iOS and/or Android making this a serious threat?
Not since Heartbleed, their web server was vulnerable for *days*
"But Yahoo says they think it's "the first step to eliminating passwords.""
And another in a long line of steps that remove any anonymity from the user.
"If any question why we died, Tell them because our fathers lied."
but that assumes you don't want ANY text messages displayed. I have need to see most text messages when in lock mode, and there's no way to screen this specific type of notification out. One approach would be for the initial message from yahoo to not contain the actual code, but rather requires a response before sending the actual code in a second text message. And yes, text messaging rates would apply :)
The last time I wrote code, it was Morse
From their intro video it appears that you generate your key on their website and even have a backup code that lets you retrieve it. How is this end to end? If they can retrieve the key for you and hold your private key for you, they can be compelled to release it (or knowing Yahoo's track record, accidentally leak it or get hacked).
Are people that stupid or is our memory really that short. Cell phones are the most privacy unfriendly and insecure devices ever imagined. We have ZERO control over them. Governments can remotely listen because get this they don't permit the release of source code for critical components and that component generally has access to the central device's CPU and RAM as well as control over the mic. Then even if that wasn't the case they're literally tracking devices by design. In order to communicate they *must* know where you are- approximately. In reality in most scenarios they know exactly where you are.
Now- you might say your not worried about the government. Problem is that the phones are so insecure that ANYBODY can listen in. It's just a matter of having a computer these days, a bit of extra tech, and doing a little reading.
A reasonably long and challenging password was a better option than this. The reality is they are doing this because they want to identify you for advertising purposes and/or government. I stopped using Yahoo! a long time ago (maybe 2007) because of the horrible stuff they were doing (ie MS had a stake and then they eliminated the "open source" section on Yahoo! News- just one example).
Google and Microsoft are just as bad. We need people to move away from these companies if we want to have any hope of getting back any resemblance of privacy/security.
The NSA can read your txts too. If they get a copy of the email not hard to get a copy of the txt to decode, right?
If you have decided to show messages this way for convenience, then you have chosen to accept the risk of displaying messages. Your risk acceptance is based, presumably, on a cost/benefit analysis of this exposure. This is within your control to change; either accept the risk by leaving the setting unchanged and mitigating some other way (phone always in pocket), or mitigate the risk by turning off the setting and paying the cost of unlocking your phone to read messages.
Or set up a do not disturb policy and allow only text senders you care about to disturb you. ;)
There is also a middle ground between people who live on their phones and people who live without one. It's called prepaid mobile phone service, and it often carries a fee of 20 cents per sent text message and 20 cents per received text message. Having to pay 20 cents every time you log in to Yahoo! is not fun.
I don't even have a computer or internet access and they wouldn't let me sign up.
I see the point you're trying to make with your sarcasm, but there's a difference: Public libraries offer Internet access. They do not offer SMS access.
Then perhaps the right way to think about it is that the cost/benefit analysis differs depending on the sender. If the sender is Yahoo! or another authentication service, show only the sender. If the sender is anyone else, show the sender and a few words.
This is a solved problem, although by a commercial solution. Symantec's Encryption Desktop....
I stopped reading after that. If you think Symantec is a solution to any problem that exists, then we'll just have to agree to disagree.
Can't you just make a throw-away VOIP (Skype, etc) number for this purpose, then get rid of it?
You can make it. You can try to use it. But when you do, Yahoo! will probably reject it as "unsupported carrier" the same way it does land lines.
They still require you to give up your PERSONAL TRACKING DEVICE called your PHONE or you cannot create an account.
Yeah, they're into enabling your privacy.... riiiiiggggghhhhhttttt.
That should be optional, as in, if YOU want to supply it, not them.
You can also do it on an app-by app basis.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Try accessing this URL while logged in to Yahoo.
https://developer.yahoo.com/yql/console/?q=select * from social.profile where guid = me
Are you able to harvest a phone number using YQL?
I was. Disturbingly, even after "deleting" the phone number from my Yahoo profile, the query result still includes a phone number.
On a related note, I wish Yahoo would at least properly implement OpenID Connect before delving into more exotic login scenarios.
This has been agravating me lately. I refuse to give them a cell number, and I have a reason aside from not wanting to give it out.
I work in a remote location where cell phones are not allowed (and they would not get any reception there anyway), and that is the only place I normally use my Yahoo email account. But the location of the company's internet varies, sometimes due to VPNs. So Yahoo keeps thinking I am someplace else and wants to send a text to my cell (which I don't have with me and would not work if I did). It sent a message to my other email account (that I cannot access until I get home) to verify.
So my Yahoo account has become useless to me.
With the yahoo encryption module, you will require a yahoo decryption module. Ergo, reading encrypted yahoo mail from gmail will or should not work.
I am certain that this non-universality concept will be equivalent to floating a lead ballon.
Leslie Satenstein Montreal Quebec Canada
Well of course there are all kinds of email services out there and nobody wants to miss out on the wave of interest in using an email you can dump to avoid spam, so you can use a service like http://www.pop3.xyz