back to article Yahoo! To! Switch! On! Webmail! Crypto! By! Default! Next! Year!

Following in the footsteps of Facebook, Google, and Microsoft, Yahoo! has said that it will make SSL encryption the default for all users of its Yahoo! Mail service beginning in January. The Purple Palace confirmed the plan in an emailed statement to the Washington Post on Monday. Yahoo! has only offered SSL encryption for …


This topic is closed for new posts.
  1. Schultz

    No protection from the NSA...

    but it's still nice if your neighbor in the cafe can't read your email.

    Only Big Brother watching, carry on.

    1. Anonymous Coward
      Anonymous Coward

      Re: No protection from the NSA...

      When decrypted, "SSL" = "NSA".

  2. Anonymous Coward
    Anonymous Coward

    Why does the NSA have to crack SSL? You have a secret court issuing secret orders with a hush order to make sure it all stays a secret for the provider to turn over the keys. The court required Lavabit to turn them over for not just Snowden but *ALL* users. That was well beyond the authority of the court as it violated the privacy of everyone using the service, not just whom they wanted to monitor. So the same could be done for any company based or has a physical presence in the US.

    1. Anonymous Coward
      Anonymous Coward

      Yep, if they want your information they just go and get it, no questions asked.

  3. mraak


    I hope they will also make it possible to reply to people. Right now those buttons appear on random basis.

  4. Frumious Bandersnatch


    That last line ... Yahoo! didn't actually say that it "takes the security of it's*users very seriously", did they?

  5. Anonymous Coward
    Anonymous Coward

    BULLRUN connect the dots

    Connecting the dots, NSA likely already has the keys to Yahoo, Google, etc. because at some point there will have been a limited court order, similar to the one issued to Lavabit. Once the key is handed over it's enough.

    Remember Bullrun?

    BULLRUN is NSAs database of encryption keys. They get keys using warrants issued by secret court orders. The Judge is persuaded by the FBI story that it will *only* be used to filter out the target and the rest will be thrown away so he issues the order on those limits.

    Lavabit for example were forced to hand over their SSL keys to the FBI, the FBI in turn hands them to NSA to do the actual surveillance.

    Once NSA has the keys it DOESN'T REALLY NEED THE INTERCEPTION BOX[5]. It has a tap on the backbones [1], and RECORDS AND STORES encrypted traffic for later decryption[2]. So really when they get the keys, that's all they need to decrypt all the HISTORIC traffic[3].

    They can then mine those emails for further passwords, keys etc. even on Americans[4]

    The Judge thinks he's issued a limited warrant, but that's not what's happened. NSA hands back the FBI only the data that falls within the judges warrant.

    The only purpose the box on Lavabit's network serves is to add an extra tap point, and it would let them fake email messages in a convincing way that look like they really came from Lavabit and really came from the account.

    [1] We know they tap the backbone

    [2] Encrypted traffic is one of the excuses used to keep US data

    [3] Ergo, once they get the keys they can decode that historic traffic too

    [4] Data of Intelligence value can be kept even on Americas,its one of the exceptions and we know they mine emails and conversations for passwords and other data. Hence they can have a go back through that now unencrypted data and have a good look.

    [5] Using the historic data and the ongoing taps, it doesn't need the box on Lavabits network. I think that's just a toy to get the judge to focus on, when the real prize is the SSL key.

    So to sum up, if you use Yahoo, Google, Hotmail, Facebook etc. once they've handed over those keys, all your future and past discussions are then available in the giant database General Alexander has built. Even if the FBI is handed a subset that complies with the judges order, it is likely everything is still stuck in the database, aka 'lockbox' and continue to be used to populate the database via Bullrun.

    1. Anonymous Coward
      Anonymous Coward

      Re: BULLRUN connect the dots - Historic Traffic

      As far as I understand it, the SSL key is used briefly while the two parties negotiate a session key which is used to encrypt the traffic. Unless that session key is recorded for every connection, isn't the historic traffic worthless?

    2. Anonymous Coward
      Anonymous Coward

      Re: BULLRUN connect the dots

      Calm down AC.

      Without getting into the mathematics of it, if the NSA were technically capable of breaking the forward secrecy property of SSL, they likely wouldn't need the SSL keys in the first place.

  6. Dan 55 Silver badge

    Does that mean they're going to fix their SSL implementation or just flip the switch?

This topic is closed for new posts.

Other stories you might like