Yahoo has followed the lead of Google and Microsoft and enabled HTTPS encryption by default for all Yahoo! Mail users. HTTPS by default safeguards privacy over an unsecured internet connection such as a public Wi-Fi network in a cafe or an airport. Done properly the technology also safeguards against state-backed snooping …
Since any US based hosting entity is required by law to make any data/traffic accessible to NSA. Now you can feel safe from script kiddies when using public wifi.
SMTP connections are (often) still unencrypted
Lately I have been trying to figure out whether the connection between Yahoo's mail servers and the recipient's mail server is encrypted. It seems that most of the cases it is not using TLS thus unencrypted a.k.a. plain text. I'm not quite sure what causes it to sometimes use TLS and sometimes not. It might be that no common cipher can be negotiated. Or that Yahoo has many servers which are not all configured in the same way.
You can test yourself by sending email to/from your Yahoo mail with another email account and then check the mail headers. How to view those depends on your mail client. In Yahoo mail you can do it by clicking on "More" below the email and then choose "View Full Header". In Outlook view the Message Options box. In Thunderbird press ctrl-U. Google for others.
You will see several "Received:" headers which will show the path of the nodes your email passed by (in reverse order). Now look for the top most (usually) "Received:" header where the mail is handed over from the Yahoo mail server to your ISP's mail server (or vice versa). There is will something like "with ESMTPS" or "with SMTP". The second S stands for secure. So ESMTP is good, SMTP is bad.
Re: SMTP connections are (often) still unencrypted
Thanks for that reminder, I just checked a mail recently sent by my banks' robo-reply.
Interestingly (this is GMAIL) the message is not encrypted when sent to me from the GMAIL server via an unroutable private address 10.x.x.x, therefore not encrypted within Google's walls. More defense In-depth would be a welcome next step for our friendly neighborhood service providers but that may be a while coming, if ever-
The bank however is encrypting with ESMTPS and the mail content is indeed encrypted inside my header. The bank's encryption standard is (version=TLSv1 cipher=RC4-SHA bits=128/128) which isn't tops as stated in the article, but better than none.
Keep spreading the word, Marcel. If nothing else. this might make more people pay attention to the level of security (or lack of it) accorded to the private communications they send over public networks.
"Interestingly (this is GMAIL) the message is not encrypted when sent to me from the GMAIL server via an unroutable private address 10.x.x.x, therefore not encrypted within Google's walls. "
Again - HTTPS is being (in some quarters) taken as a panacea. It's not. It covers your data in transit, and depending on it's implementation may be doing a reasonable job.
Once it hits your email provider (or the recipients) it may well be stored unencrypted, or fired around their networks unencrypted. As has been shown on various slides, if the NSA (or other groups) are sniffing inside the firewall/entry point, HTTPS is irrelevant. If they can access the data (via warrant or nefariously) due to it being plain text "at rest", it's irrelevant.
Outlook/Outlook Express used to allow for x509 certs, which whilst a pain to get hold of and install, where near transparent when used. As long as your cert/password were secured, your mail was neatly encrypted in transit and at rest.
I'd love to see the following adopted :
a) Sign into email client (local or web)
b) Be forced to generate x509 keys - storing private key locally (or, worst case, the passphrase - and let's skip the "do we trust the mail provider?" question for now)
c) Start to compose new mail
d) Enter recipient address
e) Mail client checks PGP/GPG/keystores for a current public key for recipient
f) If key found, carry on - just automatically and silently encrypt the mail
g) If key NOT found - display mahoosive warning that the email can't be secured - don't type secure things!
(NB: I'm aware Thunderbird/PGP do bits of the above, but not all of it, and it's client/user specific - rather than something that *could* be flicked on for everyone)
Obviously the snag comes with key expiry/rotation - methods need to be employed to (ahead of time) archive email securely
If Google/MS/Yahoo built the above in, and let you either use your own keys or generate them for you, it would probably gain faster uptake - and the inherent security in x509 would (or should!) show if your emails were encrypted for anyone else other than the recipient (i.e. "Google archive key") - or if a key generated by them was "downstream" of another trusted key - you can raise eyebrows accordingly.
The minute you enter a passphrase you've no guarantee it's not being logged, so you can only really go "so far" with bolting things down - but ultimately, if something is "that" secure - don't put it on email, or better yet, keep it offline!
It's good for people to realize what is actually happening with their mail. Most don't and tech companies abuse this by giving us half solutions. Anyway, in my opinion, using TLS on all connections will at least make it much harder to do wholesale mass surveillance. It's pretty cheap to implement and pretty expensive to crack.
Anyway, meanwhile, people think of new alternatives such as Mailpile. Check it out.
Re: SMTP connections are (often) still unencrypted
Nice tip - thanks Marcel
Given how appalling yahoo periodically make their mail interface, messing up on the encryption strategy is no surprise at all. It feels like every revision of yahoo mail has been explicitly designed to push previously happy users away to alternative platforms. I try to be forward thinking and give things a good chance before rejecting them, but with yahoo mail I just can't do it. And then yahoo intentionally screw up the "legacy" mail to make it worse than the previous mail so you're stuck with a deficient mail interface that superficially looks like the older one or a new one that's just deficient in pretty much every usability way they could think.
Something weird happened with Yahoo mail servers. The DNS to their .co.uk servers stopped working, and we had topoint all our clients for incoming mail to .com instead. Seemed to happen over this switch.
Probably doesn't help
The real problem with Yahoo mail is the drive-by compromise of logged-in mail accounts. I've lost count of the number of acquantances with Yahoo addresses who have "apparently" wound up without funds in foreign countries and urgently require an anonymous wire transfer - I doubt that this change fixes the problem.
Remember that the keys have been sold
So "security" programs DO exist that can use bogus certificates to perform MiM attacks, etc. And they are used not just by three letter agencies, but to spy on workers...
Which means you need to trust HTTPS to believe things are now secure.
Yahoo, the company that cannot leave a working interface alone but must fiddle with it until it doesn't work at all.
Still won't accept my password, still claims I can't reset *to* that password because I already use it (though they cannot verify it at sign on). Once in, the regretting begins.
Can you say "death spiral" kiddies?
HTTPS and Crypto are irrelevant if your keyboards and drives and chips
Have already been (and continue to from manufacturers be) compromised. Keystroking/keylogging and radio-scooped payloads make most consumer-targetted encryption irrelevant, right?
Re: HTTPS and Crypto are irrelevant if your keyboards and drives and chips
Then again, if everyone encrypted their email and web browsing with private keys, agencies would need to perform a whole lot of keylogger installations to maintain the successful content interception rates they currently see now.
Ubiquitous encryption would erase many of the issues and fears raised by the mass spying debate. Right now it is just too easy to suck up and analyze everything.
My next favorite security tool (or toois) will be those that detect and flag symptoms of local hardware compromise or can identify known compromised components. Then I will watch as manufacturers are outed and customers begin cancelling orders.
Losing money is the only thing that the data Langoliers and sponsors will really understand.
And as public email providers who deliberately compromise or weaken their users' security and privacy get noticed, new providers will appear. This is why the big service providers need to start encrypting.
If they don't, someone else will and will start eating their lunch.
The thistle will spread its seeds into the wind, and more thistles will grow.
"flaws in the implementation leave Yahoo! webmail far more vulnerable to snooping by intelligence agencies such as the NSA and others."
Let's face it, that's probably by design.
Besides which, does anyone think that bog standard email is by any stretch a secure channel? Switching on encryption between you and your mail server is like blindfolding the postman as he hands over your postcard at your doorstep - doesn't stop anyone reading it at the sorting office or along any of routes from the sender.
At best, encrypting the final hop makes it a bit safer using wireless hotspots.
Just As An Aside...
(rant mode = on)
Yahoo! Mail screwed me over quite a few years ago.
When I first started using the Internet, I didn't have an e-mail address, as all of the access accounts I had were stolen. Then, due to peer pressure, I had to setup an e-mail account. Hotmail for about a year, then I switched to Yahoo! Mail. I used that for almost ten years.
Unfortunately for me, I became homeless at one stage (karma), with no real Internet access. Occasionally I logged into the Yahoo! chat client during my homelessness, but not my Yahoo! Mail (with the same credentials).
Then one day, when I went to log into my Yahoo! Mail, I was informed that the account had been deleted due to inactivity. I could get the address back, but I could not get the almost ten years of e-mails back. They were gone. Deleted.
(rant mode = not quite finished)
Very sorry for your misfortune.
Congratulations on coming back from that (what I infer from the tone of your post).
- Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
- 14 antivirus apps found to have security problems
- Feature Scotland's BIG question: Will independence cost me my broadband?
- Apple winks at parents: C'mon, get your kid a tweaked Macbook Pro
- Driverless car SQUADRONS to hit Britain in 2015