updated 02:00 pm EDT, Sun August 10, 2014
CISO states security coming via a fork of Google's end-to-end encryption extension
Yahoo's Chief Information Security Officer Alex Stamos told Black Hat online security conference attendees last week that the search company would be rolling out end-to-end encryption for email some time in 2015. The company is taking a similar approach to Google to tackle enhanced security issues for communications, even down to the details of using OpenPGP.
The news was tweeted from the conference by Yan Zhu, a former employee of the Electronic Frontier Foundation known for working on Privacy Badger, and who was one of the first hires by Yahoo for its privacy engineering team. The Yahoo encryption appears not only to be similar to what Google is planning with its Chrome extension, but a fork of the project.
Stamos confirmed in the tweet stream that Yahoo is using a version that's compatible with the Yahoo front end. He adds that the mobile app will have a native encryption, while web-based users should be following the same extension approach as Google. Drew Hintz, a security engineer for Google, confirmed that it's the same end-to-end encryption from Google. Yahoo will be working with Google to make its encryption compatible with Gmail.
It appears that Yahoo will be requesting the aid of the community to help improve the service later on, as Stamos said that the code will be released in the fall. The goal is to have security-minded users help improve the experience as well as locate bugs. A Yahoo spokeswoman told CNet that the no other providers were on board so far, but because of the open nature Yahoo hopes others will adopt it.
Yahoo announced last year that it would be it encrypting all transmissions through data center links as a way to prevent information from being accessed by outside parties, including government agencies like the National Security Agency. The company also stated that it would put 2048-bit SSL encryption into place for Yahoo Mail users by January this year, but later added it would extend to all Yahoo products.
By adding Yahoo to the likes of Google, the movement for the use of encryption for everyday users could gain more traction. For many, end-to-end encryption through Pretty Good Privacy (PGP) can be considered too complex to use. However, the complications come from ease of use, as well as proper education. In a time where some companies are struggling to implement any form of mail encryption in transit, the move is a welcome one by Yahoo.