Yahoo To Add PGP Encryption For Email

Bismillah (993337) writes Yahoo is working on an easy to use PGP interface for webmail, the company's chief information security officer Alex Stamos said at Black Hat 2014. This could lead to some interesting standoffs with governments and law enforcement wanting to read people's messages. From the article: "'We are working to design a key server architecture that allows for automatic discovery of public keys within Yahoo.com and other participating mail providers and to integrate encryption into the normal mail flow,' Stamos said."

Re:Metadata

[Scutter]

"Metadata" is a media buzzword designed to make you feel good about having your data monitored. They're still monitoring your conversations. Stop buying into their talking points. The headers of your e-mail are as much your data as the body of the e-mail.

Re:Oh, god

[sideslash]

Yahoo mail improved dramatically after Marissa Mayer became CEO. It seems to me that they are actually trying to be more like Gmail, and it shows in a positive way. They still fall short, but as a longtime Yahoo mail user I'll take what I can get. At least their recent improvements are much better than your characterization, for sure.

And Google Cannot Follow

[Anonymous Coward]

google is doing this (http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html)

Mailvelope etc.

[Anonymous Coward]

The Mailvelope Plugin - https://www.mailvelope.com - already does that: encrypt webmails a la Gmail, Yahoo, Hotmail or your own Roundcube etc.. It does so in-browser, obviously. Still basic in functionality but works for simply sending messages back and forth. Clear-signing, though available, tends to get screwed up due to message wrapping on the receiving end.

You may also find https://encrypt.to a very cool thing. Essentially a simple contact form, that encrypts the message with GPG and sends it on to the actual mail account. That way, a user who does not use PGP can send failry secure mails to a GPG-user. A simple vanity-style URL can be given to such users for easy access to the input form. The scripts are freely available and can be used on your own webserver under your control. This idea may significantly help in overcoming the chicken/egg problem we are having in regards to PGP use!

As far as webmail with PGP goes, Startmail is already doing that. You create the keys in their interface (yes, I know!) and the use is very straight-forward. You can also communicate with outisde user who do not have PGP. They will get an SSL-link and access it via a previously agreed-upon passphrase. Their reply to the Startmail user from there will also get PGP-encrypted on Startmail's server and put into the Startmail user's mailbox.
While this setup is, for purists, far from ideal, it could help get normal people to use PGP. If you don't like it, stop bitching, and help make PGP easier to use the 'proper way'! ;-)

Why not S/MIME?

[Arkham]

Instead of PGP they should use S/MIME. It's functionally the same but is far more widely supported. It's even included in the Exchange ActiveSync protocol via ResolveRecipients to retrieve the public keys of other users. I don't dislike PGP/GPG, but if it were me I'd go with a more standard envelope.