Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Yahoo! Communications Encryption Security

Yahoo Debuts End-To-End Encryption Email Plugin, Password-Free Logins 213

An anonymous reader writes: Yahoo has released the source code for a plugin that will enable end-to-end encryption for their email service. They're soliciting feedback from the security community to make sure it's built properly. They plan to roll it out to users by the end of the year.

Yahoo also demonstrated a new authentication system that doesn't use permanent passwords. Instead, they allow you to associate your Yahoo account with your phone, and text you a code on demand any time you need to log in. It's basically just the second step of traditional two-step authentication by itself. But Yahoo says they think it's "the first step to eliminating passwords."
This discussion has been archived. No new comments can be posted.

Yahoo Debuts End-To-End Encryption Email Plugin, Password-Free Logins

Comments Filter:
  • I hope... (Score:4, Interesting)

    by AlCapwn ( 1536173 ) on Monday March 16, 2015 @04:22AM (#49265535)
    I hope that if the recipient gets an encrypted email, it shoves the plugin down their throat. Maybe that way people will start adopting encryption.
    • Re:I hope... (Score:5, Insightful)

      you can't make people care

      there will be plenty that just don't care about privacy

      there will be plenty that don't care and they're right: their online life is shallow crap

      there will be plenty that don't care and they're wrong: their online info is used against them

      some small fraction of the latter group will make an effort to correct that problem

      this is, and always will be, a small percentage of people online

      and honestly: it's not a problem. most people just aren't that interesting

      if you want to spin frightening scenarios of government knowing everything about them, advertisers profiling their lives in every detail, the ease at which their finances and physical location can found in a snap, etc... they still won't fucking care

      welcome to reality

    • by AmiMoJo ( 196126 ) *

      Plugins are the wrong way to implement this. Plugins for browsers are generally a bad idea, and need extensive sandboxing to even begin to be secure.

      There are pure Javascript implementations of public key crypto, but what it really needs is a new standard that browsers can adopt to support it. That could be extensions to Javascript or it could be something else, but a Yahoo specific plugin isn't the way to go.

      • Re:I hope... (Score:4, Informative)

        by CronoCloud ( 590650 ) <[cronocloudauron] [at] [gmail.com]> on Monday March 16, 2015 @08:30AM (#49266487)

        -----BEGIN PGP SIGNED MESSAGE-----
        Hash: SHA256

        The real problem is that people are using web browsers to read their e-mail instead of a proper e-mail client that already supports the existing standards of pgp and s/mime This yahoo plugin is actually based on google's code for an end to end plugin. It implents pgp.

        -----BEGIN PGP SIGNATURE-----
        Version: GnuPG v1

        iQEcBAEBCAAGBQJVBtrWAAoJEGgrLreJLenh890IAJMHRwdi6vN1wSFhJnDNHqIX
        GTuTGo7BEFp0+4Qo9mTiYtbF8HhJy1NAClXUKQ+fsHF6NwfvqEq2Fe7909oXPSNk
        DewmEMc8xHlKxp9xaz6kVNg8t3DoieJCc4JoSmkpXRPtsC/0k8bdrAaH/7dhk1ex
        mKU8QLjz60a9cOSU3BoBg9bG2GJacI+1fv6JxNUuV8LaxCwwIBSP/a3TYRRBnZX9
        +AW66Oljq/gf7UH+4NxuKxrZ2K2MRYDVi9N57skb8V9MfiK9livZCPNxPvGePpIk
        CmCJXa9pHY9+fkIwJeHCbIEPumC5wMcUJcnvOupRbodEFI10oad0Hs0ZJXVwZec=
        =xOyc
        -----END PGP SIGNATURE-----

        • Re:I hope... (Score:5, Interesting)

          by mlts ( 1038732 ) on Monday March 16, 2015 @09:57AM (#49267223)

          This is a solved problem, although by a commercial solution. Symantec's Encryption Desktop (formerly PGP desktop) allows one to either decrypt/check signature and view what is on the clipboard or decrypt/check signature and view what is in the current window.

          We don't need a Web browser plugin. This is like drilling a hole in a boat that has one hole already in it, expecting the water to drain out.

          Instead, we need something with functionality similar to SED that is completely standalone from other applications and functions completely independent of the Web browser. This is tougher than it sounds. GPG4Win is a good effort, but it does not come anywhere close to the ease of use that SED has. Macs and Linux have decent utilities like GPGTools (which was pictured.) If PGP decryption is put into something, it should not be part of a Web browser, but should be in the MUA. Web browsers should have as little running as possible, just so they have as small an attack surface since they are the biggest frontline for computer compromise these days.

          The beauty about the OpenPGP spec is that it is completely independent of any transport mechanism, be it Slashdot posts, E-mail, MMS, AIM, Facebook's PM, or a file saved to a ZIP drive. Tethering it to a protocol can easily render a quite secure system extremely insecure, if only for the fact that a specific program or browser extension would be needed for the decryption.

          Ideally, fetching E-mail via the Web should be more of an item of last resort, where one is using another machine. A high quality MUA (Thunderbird, Mail.app, Outlook, even mutt) is a lot more secure than a Web browser.

          • This is a solved problem, although by a commercial solution. Symantec's Encryption Desktop....
            I stopped reading after that. If you think Symantec is a solution to any problem that exists, then we'll just have to agree to disagree.
        • by Rich0 ( 548339 )

          The real problem is that people are using web browsers to read their e-mail instead of a proper e-mail client that already supports the existing standards of pgp and s/mime This yahoo plugin is actually based on google's code for an end to end plugin. It implents pgp.

          The problem is that the browser+javascript is the most ubiquitous platform around. It is also FAR more convenient to use.

          I'd love to see a decent FOSS webmail application that supports encryption. The only options that exist right now are pretty weak compared to something like GMail.

          • by unrtst ( 777550 )

            The real problem is that people are using web browsers to read their e-mail instead of a proper e-mail client that already supports the existing standards of pgp and s/mime This yahoo plugin is actually based on google's code for an end to end plugin. It implents pgp.

            The problem is that the browser+javascript is the most ubiquitous platform around. It is also FAR more convenient to use.

            I'd love to see a decent FOSS webmail application that supports encryption. The only options that exist right now are pretty weak compared to something like GMail.

            I get the feeling that very few people understand the problem here.

            Both pgp/gpg and s/mime require ownership of a public/private key pair.
            True, all the algorithm stuff for signing and encryption has already been implemented in javascript, but it's all useless without the keys.
            How do you store and access those keys safely and securely from a web browser? That's what most of the existing webmail plugin solutions for pgp/gpg/smime do - they just provide a local keystore and make that available to the js method

            • by Rich0 ( 548339 )

              How do you store and access those keys safely and securely from a web browser? That's what most of the existing webmail plugin solutions for pgp/gpg/smime do - they just provide a local keystore and make that available to the js methods to do the work.

              Oh, I get that. However, there are a few options:

              1. Store it on the server. That doesn't protect you against server compromise, but it still protects you against a lot of stuff, and there is no reason the server can't be as secure as your client would otherwise be. Keep in mind that webmail does not necessarily mean 3rd party provided.

              2. HTML5 storage plus javascript. This can in theory be about as secure as a local client, but my big concern here is having some way to ensure that the javascript isn't

      • by DarkOx ( 621550 )

        JavaScript is not a solution to this problem. To use PKI effectively you MUST trust the client. You can't trust the client if its being sent to you from the one of the men in the middle "Yahoo" every time you use it.

        All it takes is for any of the following to happen and you are boned.

        1) Someone SE's a CA or obtains a Yahoo.com Certificate by some other method, national security letter, hack of yahoo etc, the MITM you an Yahoo

        2) Somebody hacks Yahoo and is able to alter the content on their web servers

        3) Y

    • -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA256

      Considering that very few slashdotters in this discussion have PGP keys posted to slashdot..... I don't think that's too likely.
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1

      iQEcBAEBCAAGBQJVBtjYAAoJEGgrLreJLenhhRwIALh3Sbcl2UVqx+pji+RCUytv
      Yv11qS60cUFD387ITf4CMaxGdLFyOim5Y0XNgrCWQoxtywxidZLFaB5TIfVKE8Tr
      Iyq/S9O2B4xCjxbAyhuYmjUfVNCH7renD8HoDn+uSMVLhwKuy3g9vvBwgz8UFJOf
      AiLHYGGosJpBs0+rj9tT4e7cukCKJj+RVvduOG5ev84IdoU64bHfr9xkrtofgGJl
      W7vV/O6jdzddk4iiLmKodkzdy2W4Y7eKPTSr

  • by dixonpete ( 1267776 ) on Monday March 16, 2015 @04:30AM (#49265555)
    I don't. I tried to sign up with Yahoo a few weeks ago and got cockblocked by this. They required a mobile number.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      The mobile number is just used to ensure two channels to the client, preventing a third party to sniff both part of the initial key. This is a very standard way to ensure that the encryption is actually secure. I would be more nervous if they DIDN'T require a mobile number (or secondary channel)

      • by itzly ( 3699663 ) on Monday March 16, 2015 @05:27AM (#49265721)

        If the phone number is exchanged on a compromised channel, it can still be attacked by a man in the middle.

      • by gl4ss ( 559668 )

        why would you do it in a way where interception of the initial communication would compromise anything? the client program can have the cert included so mitm would set off alarms, so to compromise it the initial client delivered to the handset would need to be have been compromised, in which case you would be fucked anyways?

        you know why they want the phone number and so does pakistani government..

      • by Himmy32 ( 650060 )
        Or it's a way to associate your real life identity for advertisers. That way the information they can take the data from your grocery rewards card and push targeted advertising on your inbox to help you change soap brands.
      • by allo ( 1728082 )

        no, its mandatory on sign up.

    • They required a mobile number.

      If I needed a phone to access my email, I think I'd rather use the phone to make a damn phone call and skip the email.

    • by Xarius ( 691264 )

      I'm not sure why a luddite would also want an email account!

      But in seriousness, at least in the UK, you can have SMS sent to a landline number no problem. Some magic along the way results in a phone call and a robot reading out the text message. Our banks even use an automated outbound voice messaging platform to do the same thing as the SMS for people who don't have a mobile.

      I expect they'll offer this if demand is high enough.

    • ... privacy.

      No phone number, no yahoo or google account for you. Because ... the NSA wants to know you.

    • by antdude ( 79039 )

      Same with AIM.com sign ups. :( Not everyone has mobile phones. I don't own one/1 either!

  • BS (Score:2, Insightful)

    by Anonymous Coward

    End to end encryption with sending the code over an unsecure SMS so that the NSA can decrypt it anyway.
    Nice.

  • *facepalm* (Score:5, Insightful)

    by thegarbz ( 1787294 ) on Monday March 16, 2015 @04:53AM (#49265637)

    Yahoo needs to understand that the purpose of 2-factor authentication was not to replace passwords, but rather to ... provide a second factor of authentication.

    Remember ideally:
    1. Something you know
    2. Something you have
    3. Something you are

    Each is no more secure than the other, but together they form a far stronger system than any individual component.

    • Re:*facepalm* (Score:5, Informative)

      by itzly ( 3699663 ) on Monday March 16, 2015 @05:02AM (#49265661)

      I'm sure Yahoo understands this. But who wants to go through the hassle of two factors of authentication (including using a unique and difficult password) every time they want to read an e-mail ?

      What they trying to do is find a way to provide good enough security that people will actually use.

      • Re:*facepalm* (Score:5, Insightful)

        by mwvdlee ( 775178 ) on Monday March 16, 2015 @05:16AM (#49265693) Homepage

        Wouldn't this ideally be presented as a choice to users?

        1. I don't care who reads my email; use either password or SMS only.
        2. I care only slightly who reads my email; use two factor authentication.
        3. My email is actually of some importance; choose a different email provider.
        4. My email contains sensitive information; cancel all my email accounts.

      • by Zocalo ( 252965 )
        Given the huge volume of spam that gets sent from compromised free mail accounts such as Yahoo! et al, mostly due to people using dumb passwords or getting their PC rooted, I can see why Yahoo! might want to move to something else; in that case something you have (a phone) is vastly more secure than a password known to you and a whole bunch of blackhats. That's almost certainly the issue Yahoo! is trying to solve here, rather than the one of securing access to data which, given that it's on a free mail pro
        • Re:*facepalm* (Score:5, Interesting)

          by mlts ( 1038732 ) on Monday March 16, 2015 @10:14AM (#49267353)

          Another idea that comes to mind is to use a feature that all web browsers have had for over 10 years (even Lynx) -- client certificates.

          This way, on setup, the website asks the user if the current client certificate presented is the one he or she wants to use, then from there on, authentication is completely transparent.

          It goes without saying to have SMS as a backup, but the absolute easiest way to authenticate on a "known good" computer is to have a client cert.

          • That works if the client is secure and consistent.

            Not so good for an online web email service. And even less good for a phone which is easily lost or stolen.

      • Re:*facepalm* (Score:4, Interesting)

        by thegarbz ( 1787294 ) on Monday March 16, 2015 @07:32AM (#49266125)

        Passwords don't need to be unique or difficult. That's just stupidity created by people with overly aggressive password policies. If someone is going to go to the effort of using the "Something you have" route for authentication then the "something you know" is not a lot of extra effort especially if we can do away with the stupid 8+char+number+capital+symbol+unique_unicode_char_not_typable_by_a_normal_keyboard bloody combinations.

        You instantly become resistant to brute forcing attempts with 2 factor authentication. The password doesn't need to be batteryhorsestaple if the max password entry rate is a password every 10 seconds. Simply horse would do. Heck Aardvark is probably sufficient too because who in their right mind would dictionary attack a password that slowly.

      • by AmiMoJo ( 196126 ) *

        I've only used Google's implementation but it isn't much of a hassle at all. Your phone has an app that generates codes. The Gmail app doesn't need them because it's already running on your phone. When you log in to any Google app you need to put the code in, but can opt to never ask for it again on that computer. It is tied to the Chrome installation. You also only have to do it once and then you can access all Google services for that session without more codes.

      • The password could still be saved in the client and 2FA added as an additional layer. I personally won't be using Yahoo! mail for mobile much longer as their new versions require extensive additional permissions. Currently the app has no objectionable permissions, but the new version wants much more, namely: Device & App History, Identity, Contacts, Location, SMS, Wi-Fi connection info, Device ID and Call info. My current app functions as needed, WTF would I enable all that additional access? I pay for

    • Re:*facepalm* (Score:4, Interesting)

      by chihowa ( 366380 ) on Monday March 16, 2015 @09:39AM (#49267081)

      That's the purpose of "two-factor authentication", but not the purpose of any single factor. Yahoo is replacing the single factor "something you know" with "something you have", which is possibly an upgrade in security.

      The factors themselves aren't equivalent in terms of security. "Something you have" is much easier for a normal person to secure than "something you know". That's why houses and cars use keys and office buildings use keycards and not codes. People (on average) are pretty decent at holding onto their phone and horrible at keeping their password safe (even if they pick a good password, which they wont).

  • I wonder how many people access yahoo mail on their phone, in effect reducing the protection to 1-factor authentication again? I know people who have Paypal accounts accessed on the smart phone with passwords remembered - and use SMS to the same phone as authentication!
  • by XB-70 ( 812342 ) on Monday March 16, 2015 @05:37AM (#49265765)
    Fuck Yahoo! This is just a sleazy way to collect phone numbers and associate them with email addresses.

    What if your phone is dead/stolen and you desperately need to get a message out? You're fucked.

    NOTE: They just killed Yahoo! Profiles. In short, they are collecting data for themselves while making it harder and harder for Yahoo! users to search each other out.

    • by OzPeter ( 195038 )

      Fuck Yahoo! This is just a sleazy way to collect phone numbers and associate them with email addresses.

      You seriously don't think that this practice is confined to Yahoo! do you?

    • Actually it's 2-factor authentication on the cheap as users don't think their own security is worth spending money buying a token. It also make a shitload more sense than a recovery email address, because that's the reason I sign up for email, just so I can use a different email account and keep an old one live right?

  • PGP doesn't protect metadata.
    • Re: (Score:2, Informative)

      by Chrisq ( 894406 )
      In a standard smtp environment nothing can protect the email meta-data.
      • Sure there is. All you have to do is use stegnography to encode your message into a photo, then use that photo in what looks like a spam email message, then pretend your computer is taken over by a botnet and send the spam to a few thousand email addresses (including the one you actually want to send to). Absolutely no useful metadata there.

        • Actually you just post it to a photo site that does not do image conversion or resizing. Thousands will look and that way you are not spamming.
        • by Chrisq ( 894406 )

          Sure there is. All you have to do is use stegnography to encode your message into a photo, then use that photo in what looks like a spam email message, then pretend your computer is taken over by a botnet and send the spam to a few thousand email addresses (including the one you actually want to send to). Absolutely no useful metadata there.

          Do you know what metadata is [makeuseof.com]? It's the information like who it originated from and the destination address. That will still be

  • by mrlinux11 ( 3713713 ) on Monday March 16, 2015 @05:58AM (#49265823)
    SQRL completely eliminates the need for passwords https://www.grc.com/sqrl/sqrl.... [grc.com]
    • by awol ( 98751 )

      And everyone in the UK speaking world dies laughing / wretching.
      Cheers,....

    • Steve Gibson is still relevant?

  • You are not constantly sending my text messages every time I want to log in. It annoys me enough to deal with this the first time I authenticate a machine with Gmail but at least that is just one time.
  • I bet Hilary Clinton wishes this was an option for her "private" email account.
  • As SMS are far than secure, they just transmit the key access to your emails as readable by [nsa]body.

    • First, this entire thing is optional, so everyone who is getting upset about "needing to have a phone" should just calm down.
      Second, you don't need to use a web browser or sms - they have an app for that.
  • by gsslay ( 807818 ) on Monday March 16, 2015 @08:20AM (#49266413)

    Oh no, my phone is dead/stolen! Better email people and tell them not to phone me and I'll be reachable by email.

    Just need to log into my email and ... ... shit...

    • I would hope that Yahoo is smart enough to do like Google does and have a set of one-time pads that you can refresh at any point. I always have a couple written in my wallet just in case I sit down at an untrusted terminal and my phone is dead.
    • Comment removed based on user account deletion
      • by AHuxley ( 892839 )
        The problem long term is people feel very secure with a phone and fancy new code.
        Only the site sending the code and 'the users' phone will ever know :)
        The phone is on all day, the logs are kept for years, lots of different groups might get the logs in bulk for official use or even local legal issues.
        Thats a very long term record of a username, when created and all connected phone activity, movements over many years.
        The mutitude of passwords and logins do offer a user the ability to only keep data with a
  • Please...serious answers only...I don't care if you hate/love Apple or Android.

    But, what is the likelyhood of the following:

    1) Malware running on your non-jailbroken iPhone?
    2) Malicious scripts running in the browser talking to other apps on the device?
    3) Potential for your SMS traffic to be intercepted on a non-jailbroken iPhone?
    4) Ability of an app to access SMS traffic on an iPhone?

    Now, apply the same questions as they apply to latest incarnation Android?

    My understanding is that sandboxed nature of iOS w

    • by AHuxley ( 892839 )
      It depends on how interesting you are and who you work for or where you travel.
      Or the resale or fun of getting massive amounts of account logins.
      Security services, federal, state gov, a local court, local gov, a private group that works for local gov, staff that has local gov access, a private group that works for contractors with access, a person who can afford to request the account be found, tracking a journalist who had a email from that brand of email provider.
      Tracking back that persons phone gets t
  • The NSA can read your txts too. If they get a copy of the email not hard to get a copy of the txt to decode, right?

Sentient plasmoids are a gas.

Working...