Following in the footsteps of Facebook, Google, and Microsoft, Yahoo! has said that it will make SSL encryption the default for all users of its Yahoo! Mail service beginning in January. The Purple Palace confirmed the plan in an emailed statement to the Washington Post on Monday. Yahoo! has only offered SSL encryption for its …
No protection from the NSA...
but it's still nice if your neighbor in the cafe can't read your email.
Only Big Brother watching, carry on.
Re: No protection from the NSA...
When decrypted, "SSL" = "NSA".
Why does the NSA have to crack SSL? You have a secret court issuing secret orders with a hush order to make sure it all stays a secret for the provider to turn over the keys. The court required Lavabit to turn them over for not just Snowden but *ALL* users. That was well beyond the authority of the court as it violated the privacy of everyone using the service, not just whom they wanted to monitor. So the same could be done for any company based or has a physical presence in the US.
Yep, if they want your information they just go and get it, no questions asked.
I hope they will also make it possible to reply to people. Right now those buttons appear on random basis.
That last line ... Yahoo! didn't actually say that it "takes the security of it's*users very seriously", did they?
BULLRUN connect the dots
Connecting the dots, NSA likely already has the keys to Yahoo, Google, etc. because at some point there will have been a limited court order, similar to the one issued to Lavabit. Once the key is handed over it's enough.
BULLRUN is NSAs database of encryption keys. They get keys using warrants issued by secret court orders. The Judge is persuaded by the FBI story that it will *only* be used to filter out the target and the rest will be thrown away so he issues the order on those limits.
Lavabit for example were forced to hand over their SSL keys to the FBI, the FBI in turn hands them to NSA to do the actual surveillance.
Once NSA has the keys it DOESN'T REALLY NEED THE INTERCEPTION BOX. It has a tap on the backbones , and RECORDS AND STORES encrypted traffic for later decryption. So really when they get the keys, that's all they need to decrypt all the HISTORIC traffic.
They can then mine those emails for further passwords, keys etc. even on Americans
The Judge thinks he's issued a limited warrant, but that's not what's happened. NSA hands back the FBI only the data that falls within the judges warrant.
The only purpose the box on Lavabit's network serves is to add an extra tap point, and it would let them fake email messages in a convincing way that look like they really came from Lavabit and really came from the account.
 We know they tap the backbone
 Encrypted traffic is one of the excuses used to keep US data
 Ergo, once they get the keys they can decode that historic traffic too
 Data of Intelligence value can be kept even on Americas,its one of the exceptions and we know they mine emails and conversations for passwords and other data. Hence they can have a go back through that now unencrypted data and have a good look.
 Using the historic data and the ongoing taps, it doesn't need the box on Lavabits network. I think that's just a toy to get the judge to focus on, when the real prize is the SSL key.
So to sum up, if you use Yahoo, Google, Hotmail, Facebook etc. once they've handed over those keys, all your future and past discussions are then available in the giant database General Alexander has built. Even if the FBI is handed a subset that complies with the judges order, it is likely everything is still stuck in the database, aka 'lockbox' and continue to be used to populate the database via Bullrun.
Re: BULLRUN connect the dots - Historic Traffic
As far as I understand it, the SSL key is used briefly while the two parties negotiate a session key which is used to encrypt the traffic. Unless that session key is recorded for every connection, isn't the historic traffic worthless?
Re: BULLRUN connect the dots
Calm down AC. https://en.wikipedia.org/wiki/Perfect_forward_secrecy
Without getting into the mathematics of it, if the NSA were technically capable of breaking the forward secrecy property of SSL, they likely wouldn't need the SSL keys in the first place.
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Analysis Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster
- Adobe spies on readers: EVERY DRM page turn leaked to base over SSL
- Analysis The future health of the internet comes down to ONE simple question…
- Lollipop unwrapped: Chromium WebView will update via Google Play