Yahoo and Google last week announced they’d be teaming up to secure their Web mail systems with encryption by the end of next year.
“Our goal is to make end-to-end encryption fully available in 2015,” Yahoo Vice President of Information Security Alex Stamos said at the Black Hat hackers’ conference in Las Vegas.
“Our team is working closely with Google to ensure that our implementations of end-to-end encryption are compatible,” he continued. “What this means is that eventually, not only will Yahoo Mail users be able to communicate in an encrypted manner with other Yahoo Mail users, but also with Gmail users and eventually with other email systems that adopt similar methodologies.”
Adopting similar methodologies should be easier for those other email systems because Yahoo will be releasing the code for its encryption solution to the open source community.
“We will release source code this fall so that the open source community can help us refine the experience and hunt for bugs,” Stamos said.
Opening the code to many eyes means even the NSA, which has been known to sit on software flaws so it can exploit them in the future for its own self interest, can look at it.
That’s a risk worth taking, according to Phil Zimmermann, creator of PGP, or pretty good privacy — the encryption method to be used by Yahoo and Google.
“The benefits of having everyone else look at it far outweigh the problem of having the NSA look at it,” he told the E-Commerce Times.
Pretty Good Privacy
The encryption scheme for Yahoo Mail and Gmail will prevent intermediaries, including Yahoo and other mail providers, from being able to discover or tamper with the content of an email, Stamos explained.
The system not only will block email snoops, but also will put a kink in a Web mail provider’s ability to do robo scans of email content to create targeted ads for their users. While the content of a message will be encrypted, though, other parts of it — such as the subject line — will not.
“I don’t know how smart Google’s algorithms are, but maybe they can figure out ads just from the subject line,” Jeremy Gillula, a staff technologist for the Electronic Frontier Foundation, told the E-Commerce Times.
In any event, Yahoo doesn’t expect the inability to scan email content to have much of a revenue impact on the company’s bottom line, Stamos said.
PGP, the tool Yahoo and Google will be using, provides strong encryption, but it has drawbacks.
“It’s hard to use,” said Matthew Green, a computer science professor at Johns Hopkins University.
“If a Google or Yahoo really wanted to make encrypted email transparent, they could do better than PGP,” he told the E-Commerce Times.
“They might be able to make PGP usable if they filed off all its rough edges,” he added, “but that’s not what they’ve done for this version.”
Another potential obstacle to broad use of the new encryption features when they’re rolled out is that they won’t be turned on by default.
“When something is not on by default, people are much slower to adopt it,” Darren Hayes, a computer science professor at Pace University, told the E-Commerce Times.
When introducing complicated technologies into a system, though, it’s sometimes better to do so by giving users some choice in the matter.
“For what Yahoo and Google are proposing, they almost have to do it that way,” said Michael Sutton, vice president of security research at Zscaler.
“For things like encrypting everything in SSL, you don’t need implicit buy-in from the users because it’s very transparent. PGP is something you need end-user buy-in for because of the challenges it imposes on users,” he told the E-Commerce Times.
“PGP has been used in email for at least a decade and half,” Sutton continued. “It’s a powerful way to encrypt email, but it has never had widespread adoption because it’s not the most user-friendly technology.”
What will be interesting is how the government reacts to Web mail providers encrypting their users’ email.
“The beauty to a solution like this is the email providers themselves won’t have access to the email,” Sutton said. “So if the government came to Yahoo or Google with a court order to see someone’s email, they would have to say, ‘We can’t do that.'”
That need not exhaust the government’s options, however.
“They can pass laws to require email providers to install backdoors so they can see email when they have a court order,” Sutton said, “which, of course, would defeat the whole purpose of encrypting email in the first place.”