In the same week that Google announced that it will give a search ranking boost to security-conscious websites, Yahoo has now revealed that it too will take a proactive stance on encryption.
The company announced at Black Hat that it will apply end-to-end encryption to its email services before the end of 2015.
The move is likely in response to the Edward Snowden revelations about government surveillance that have prompted many tech firms to assess their stance on privacy and encryption.
Thus far, Google has taken the biggest strides, with the aforementioned ranking change following previous announcements of support for end-to-end encryption in its Mail, Drive and Search products.
The change will likely be welcomed by Yahoo’s 273 million email account holders who had previously been left behind as other email providers adopted encryption.
Yahoo’s encryption will not hide details such as who has emailed who, or the contents of the subject line, but the contents of the message will be covered by a version of PGP encryption which has so far not been cracked.
In an interview with the Wall Street Journal, Yahoo chief information security officer Alex Stamos said:
“We have to make it to clear to people it is not secret you’re emailing your priest. But the content of what you’re emailing him is secret.”
PGP relies upon both the sender and receiver of an email having their own encryption key which could potentially lead to similar problems as those experienced at Lavabit which closed down after being force to hand its keys over to the authorities.
Yahoo and Google, however, both claim that they will not hand keys over, not least because they are massive companies with the funds required to finance a large number of lawyers, with Stamos saying:
“That’s very different from a publicly traded multibillion dollar company with an army of lawyers who would love to take this argument all the way to the Supreme Court.”
Mark James, security specialist at ESET welcomed the news but pointed out that the average man in the street may not understand how to take advantage of the change:
“It’s great that two of the largest internet email providers will be offering us the ability to send end-to-end encrypted emails to each other. After Google announcing it was doing the same thing a few months ago it is good to see another leading email provider following suit.
It won’t mean a lot to the average user but anyone who wants to protect their emails when using these providers will be able to do so by using these browser extensions.
So what does it actually mean? Well once the browser extension is added and configured you will be able to send an email with the contents completely scrambled to anyone except the sender and receiver. No one will be able to read the content. There are many encryption tools available for those that want to install and use them but for the average user they are often scary to set up. I for one welcome any type of “easy” security.”
I personally hope that Yahoo and Google do make their email encryption easily understandable by the less savvy web users out there though because we seemingly live in a society where having nothing to hide doesn’t mean no-one will go looking anyway.