Yahoo will be rolling out end-to-end encryption capabilities for all Yahoo Mail users in 2015, the company's chief information security officer, Alex Stamos, announced during a talk at the Black Hat USA conference in Las Vegas Thursday.

Electronic Frontier Foundation technologist Yan Zhu, who worked on the HTTPS Everywhere and Privacy Badger browser add-ons andserved as a core developer for the anonymous digital leaking tool SecureDrop, wasannounced as the first hire for the project.

Zhu says that over the past few years she has seen increasedinterest inaccessible end-to-end encryption products, particularly from startups.But Yahoo's established user base could, she says, help make encrypting e-mail more mainstream.The company reports havingmore than abillion Yahoo Mail users.

"Yahoo Mail has a lot of users already using it," Zhu said in an interview with The Washington Post, "and mail is pretty sticky.It does take effort for people to change their mail service, so people would prefer to use their Yahoo Mail, or Gmail, or Hotmail with encryption rather than make a new account."

End-to-end encryption creates a sort of digital tunnel between the senders and receivers of e-mails -- helping to keep the prying eyes of everyone from governments to Internet service providers and mail providers themselves from seeing the content of messages. Most major mail providers already provide SSL encryption for webmail users -- Yahoo started the practice earlier this year, afterrevelations that its lack of the encryption gave the National Security Agency greater ability to collect users' address books than from other major providers. But end-to-end encryption is more technically difficult for the average user to implement and hasn't seen as widespread adoption among major services.

Google released the first version of an extension for its Chrome browser that allows users to send end-to-end encrypted message through Gmail in June. Stamos says Yahoo intends to offerend-to-end encryption to itsYahoo webmail users in a similar way. He added that the company is working with Google to make their implementation compatible with Gmail's.

Yahoo, Stamossaid, is also working on building end-to-end encryption into theYahoo Mail mobile app. Hesaidhe hopes that capability will be released in 2015, withthe browser plugin for webmail targeted forrelease earlier that year.

Stamos says that Yahoo does not expect the move to encrypt end-to-end e-mails will have any impact to on its ability to make money from mining information for advertising purposes.

"The kind of targeting that happens in e-mail servers does not usually happen against person-to-person e-mails," he says, instead coming from commercial marketing e-mails that he says users are unlikely to chose tobe encrypted end-to-end.

Yahoo has historically been consideredbehind the curve when it came to security best practices, and the company hit a number of security and stability hiccups in the past year. But Yahoo seems to be taking a more rigorous approach to the issue since Stamos joined the company in the spring.

See the original post here:
Yahoo to roll out end-to-end encryption option for all Yahoo Mail users in 2015

Revelations about the National Security Agency's electronic eavesdropping capabilities have sparked anger in Germany and a boom in encryption services that make it hard for the most sophisticated spies to read emails, listen to calls or comb through texts.

Jon Callas, co-founder of Silent Circle, which sells an encryption app allowing users to talk and text in private, said a series of disclosures from former intelligence contractor Edward Snowden last year have been a boon for business.

Silent Circle is one of a host of online security companies cashing in on swarms of new security-conscious customers around the world who want to shield their communications from foreign governments and nowhere is the market hotter than in Germany, whose chancellor, Angela Merkel, was reported to be a target.

"Germans have always been particularly attuned to security and privacy concerns," Callas said. "I think that culturally, Germany has seen privacy problems in their recent past. There are people who remember the communists. There is still a cultural sore spot over security and privacy, an understanding of what can go wrong better than any other place in the world."

The companies' customers range from diplomats and journalists to privacy advocates and people trying to protect trade secrets.

"If you're a reporter, you can talk confidentially to a source. If you're a banker, you can talk to a client. If you're a business person, you can use it in places where spying is a cultural norm," Callas said.

Although Silent Circle doesn't provide specific numbers, Callas said it saw a "huge increase" in subscriptions to its private phone and text service after Snowden's disclosures and a spike in Germany after two reported cases of suspected U.S. spying there earlier this year.

And while the technology has Silicon Valley roots, the servers are in Canada and Switzerland, two countries with strong privacy protections. Two weeks ago, Silent Circle also began selling a secure smartphone, whose first run sold out, Callas said.

At CeBIT, a leading tech industry event held annually in the German city of Hannover, Deutsche Telekom was among several companies to launch new security products on the back of Snowden's revelations.

"I want to send a personal thanks to the NSA, because we wouldn't be having this discussing if that hadn't happened," Reinhard Clemens, a Deutsche Telekom board member, told reporters. "That was the best marketing campaign we've ever had."

See more here:
Spying Revelations Lead to German Encryption Boom

Google Inc. (NASDAQ:GOOGL) just gave a nod to more-secure websites. The Mountain View, California, company said that encrypted websites that use HTTPS will get a boost in its ranking algorithm in a bid to encourage developers to adopt technology that protects against hackers.

Initially, fewer than 1 percent of global queries will be affected, Google said, but plans are to boost that weighting over time. Google's algorithm rewards sites with high-quality content a higher ranking in its search results, so the company has the power to spur Web developers into action. Google said developers will be given time to make the shift to HTTPS.

"This is a huge deal," Christopher Soghoian, a principal technologist for the American Civil Liberties Union, told the Wall Street Journal. "This is the ultimate carrot for websites" to use encryption. The newspaper reported in April that Google executives were discussing taking encryption into account in Web rankings.

Encrypted data adds a barrier between Web users and anyone snooping or seeking to steal their personal information. Google has stepped up its efforts to help make the Internet more secure in the wake of disclosures about Internet snooping by the National Security Agency. Yahoo Inc. (NASDAQ:YHOO) said in November that it planned to encrypt its data center traffic.

Over time, we may decide to strengthen it, because wed like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the Web, Google said in a blog entry Wednesday.

Google plans to publish a series of best practices around adding more secure encryption to websites, including tips on what certificate type is needed, how to use relevant URLs for resources on the same secure domain and best practices for allowing site indexing.

If a website currently uses HTTPS encryption, administrators can test its security using Qualys SSL Labs' online tool, Google said, or they can contact Googles webmaster forum for further help.

More here:
Website Encryption To Affect Google Search Results

Yahoo Chief Information Security Officer Alex Stamos announced today at Black Hat 2014 that starting in the fall of this year, the purple-hued company willbegin giving users the option of seamlessly wrapping their e-mails in PGP encryption. According to Kashmir Hill at Forbes, the encryption capability will be offered through a modified version of the same End-to-End browser plug-in that Google uses for PGP in Gmail.

The announcement was tweeted by Yan Zhu, who has reportedly been hired by Yahoo to adapt End-to-End for use with Yahoo Mail. Zhu formerly worked as an engineer at the Electronic Frontier Foundation, an organization thathas consistently been outspoken in its call for thewidespread use of encryption throughout the Web and the Internet in general.

In an interview with the Wall Street Journal, Stamos acknowledged that the introduction of encryption will require some amount of education for users to make sure their privacy expectations are set appropriately. For example, he explained that PGP encryption wont cloak the destination of your e-mail. "We have to make it clear to people it is not [a] secret youre emailing your priest, but the content of what youre e-mailing him is secret,"Stamos said.

Of course, nothing is stopping sufficiently motivated users from using PGP encryption with Yahoo Mail today. The problem is that without a plug-in like End-to-End, getting asymmetric key cryptography working in webmail (or in any e-mail client, for that matter) requires climbing a relatively steep learning curve. People wantingto communicate via encrypted e-mail have to be at least minimally familiar with how to exchange and manage public keys, how to keep their private keys properly secure, and how to actually encrypt and decrypt messages. Flattening that curve and turning encryption into a single-click process will go a long way toward increasing the number of people actively using encryption in e-mail.

The Wall Street Journal also brings up Lavabit, the encrypted e-mail provider that chose to go out of business last year rather than continue operating after giving the FBI the ability to decrypt its users messages. In Lavabits case, the government was able to compel the company to turn over its private SSL-TLS key, which could be used to view encrypted messages in flight between users computers and the Lavabit servers. With PGP encryption implemented in a browser plug-in, though, messages are encrypted before theyre transmitted, and the private keys cannot be disclosed by Yahoo because the companydoesnt possess them.

Stamos statement on the matter of what would happen if a government agency came calling is blunt. He characterizes Yahoo as "a multibillion-dollar company with an army of lawyers who would love to take this argument all the way to the Supreme Court."

See the article here:
Yahoo to begin offering PGP encryption support in Yahoo Mail service

Summary: At Black Hat USA 2014, Yahoo's CISO announced in a presentation that consumers will be seeing end-to-end encryption in its Mail product by 2015.

Today at Black Hat USA 2014, Yahoo's CISO announced in a presentation that consumers will be seeing end-to-end encryption in its Mail product by 2015.

Announcing a new PGP plugin that piggybacks off of Google'sPGP plugin, Alex Stamos told the audience at his talkBuilding Safe Systems at Scale - Lessons from Six Months at Yahoothat this project has been a priority since he joined Yahoo Inc. six months ago.

Recruited for the project is (now former) EFF staff technologist Yan Zhu.

In the Thursday talk, Stamos told attendees that Yahoo is using the end-to-end encryption plugin that Google released a few months ago, with the plan of having both Yahoo Mail and Gmail able to exchange encrypted mail between the services seamlessly and easily.

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.

The move is a step in the right direction for security teams endeavoring to bring ecncryption to consumers, which faces challenges around ease of use for the ordinary user.

Encryption has followed security's traditional quandary of easy versus secure. Basically, if anything [in tech] is easy to use, lots of people will use it -- but security and simplicity seldom go hand-in-hand.

Stamos directly referenced the 'post-Snowden era' of consumer privacy and security as the impetus for his push at Yahoo to his Black Hat audience.

Excerpt from:
Yahoo CISO: End-to-end Mail encryption by 2015