Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Debuts End-To-End Encryption Email Plugin, Password-Free Logins

Posted by Soulskill on from the from-one-end-of-the-internet-to-the-other dept.

An anonymous reader writes: Yahoo has released the source code for a plugin that will enable end-to-end encryption for their email service. They're soliciting feedback from the security community to make sure it's built properly. They plan to roll it out to users by the end of the year.

Yahoo also demonstrated a new authentication system that doesn't use permanent passwords. Instead, they allow you to associate your Yahoo account with your phone, and text you a code on demand any time you need to log in. It's basically just the second step of traditional two-step authentication by itself. But Yahoo says they think it's "the first step to eliminating passwords."

11 of 213 comments (clear)

  1. I hope... by AlCapwn · · Score: 4, Interesting

    I hope that if the recipient gets an encrypted email, it shoves the plugin down their throat. Maybe that way people will start adopting encryption.

    1. Re:I hope... by mlts · · Score: 4, Interesting

      This is a solved problem, although by a commercial solution. Symantec's Encryption Desktop (formerly PGP desktop) allows one to either decrypt/check signature and view what is on the clipboard or decrypt/check signature and view what is in the current window.

      We don't need a Web browser plugin. This is like drilling a hole in a boat that has one hole already in it, expecting the water to drain out.

      Instead, we need something with functionality similar to SED that is completely standalone from other applications and functions completely independent of the Web browser. This is tougher than it sounds. GPG4Win is a good effort, but it does not come anywhere close to the ease of use that SED has. Macs and Linux have decent utilities like GPGTools (which was pictured.) If PGP decryption is put into something, it should not be part of a Web browser, but should be in the MUA. Web browsers should have as little running as possible, just so they have as small an attack surface since they are the biggest frontline for computer compromise these days.

      The beauty about the OpenPGP spec is that it is completely independent of any transport mechanism, be it Slashdot posts, E-mail, MMS, AIM, Facebook's PM, or a file saved to a ZIP drive. Tethering it to a protocol can easily render a quite secure system extremely insecure, if only for the fact that a specific program or browser extension would be needed for the decryption.

      Ideally, fetching E-mail via the Web should be more of an item of last resort, where one is using another machine. A high quality MUA (Thunderbird, Mail.app, Outlook, even mutt) is a lot more secure than a Web browser.

  2. Re:That's great if you have a mobile phone by itzly · · Score: 3, Interesting

    If the phone number is exchanged on a compromised channel, it can still be attacked by a man in the middle.

  3. how many people access yahoo mail on their phone? by Chrisq · · Score: 1, Interesting

    I wonder how many people access yahoo mail on their phone, in effect reducing the protection to 1-factor authentication again? I know people who have Paypal accounts accessed on the smart phone with passwords remembered - and use SMS to the same phone as authentication!

  4. They should adopt SQRL by mrlinux11 · · Score: 5, Interesting

    SQRL completely eliminates the need for passwords https://www.grc.com/sqrl/sqrl....

  5. Re:*facepalm* by thegarbz · · Score: 3, Interesting

    Passwords don't need to be unique or difficult. That's just stupidity created by people with overly aggressive password policies. If someone is going to go to the effort of using the "Something you have" route for authentication then the "something you know" is not a lot of extra effort especially if we can do away with the stupid 8+char+number+capital+symbol+unique_unicode_char_not_typable_by_a_normal_keyboard bloody combinations.

    You instantly become resistant to brute forcing attempts with 2 factor authentication. The password doesn't need to be batteryhorsestaple if the max password entry rate is a password every 10 seconds. Simply horse would do. Heck Aardvark is probably sufficient too because who in their right mind would dictionary attack a password that slowly.

  6. Re:*facepalm* by disposable60 · · Score: 3, Interesting

    Out in the boonies, or in a reception-poor building in the 'burbs, SMS can take literal days to get through.
    That would be an inconvenience up with which I would prefer not to put.

    Now, an app that works like one of those SecureID fobs, so I'm not dependent on the vagaries of wireless reception? That would be pretty cool.

    --
    You're looking for quotes? See my journal.
  7. Re:That's great if you have a mobile phone by mordjah · · Score: 3, Interesting

    uhm.. no its really not.. you can purchase prepay sims that work as mvno (second class citizen, but no id) over the counter for 20 bucks or so.. no id needed.

    --
    "A mind reader? That sounds like sci fi." "Honey, we live on a space ship"
  8. Re:*facepalm* by chihowa · · Score: 3, Interesting

    That's the purpose of "two-factor authentication", but not the purpose of any single factor. Yahoo is replacing the single factor "something you know" with "something you have", which is possibly an upgrade in security.

    The factors themselves aren't equivalent in terms of security. "Something you have" is much easier for a normal person to secure than "something you know". That's why houses and cars use keys and office buildings use keycards and not codes. People (on average) are pretty decent at holding onto their phone and horrible at keeping their password safe (even if they pick a good password, which they wont).

    --
    If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  9. Re:security by mlts · · Score: 3, Interesting

    You just hit the nail on the head. As of now, if someone steals my phone in an unlocked state, they will be able to get the second factor... but they won't be able to log into the account due to the password. What having just one factor does is make a phone theft all the more crippling where a bad guy can do a lot of damage.

    2FA is 2FA because it covers at least two of these properties: Something you know, somewhere you are located, something you are, and something you have. For example, a secure biometric system uses the fingerprint/retina scan as a username, then a PIN for access, or a remote access system uses a password and a OTP so that if the password gets sniffed, the OTP is still an obstacle.

    On the other hand, perfect is the enemy of the good. In general, someone is going to be less likely to have their phone stolen than to have their password sniffed or cracked, so moving to a SMS message can be argued to be a security improvement.

  10. Re:*facepalm* by mlts · · Score: 4, Interesting

    Another idea that comes to mind is to use a feature that all web browsers have had for over 10 years (even Lynx) -- client certificates.

    This way, on setup, the website asks the user if the current client certificate presented is the one he or she wants to use, then from there on, authentication is completely transparent.

    It goes without saying to have SMS as a backup, but the absolute easiest way to authenticate on a "known good" computer is to have a client cert.