In an extremely important and positive development triggered by Edward Snowden, Yahoo announces that like Google they will begin to encrypt email. It was clear that the only way that government spying could be thwarted is if the big companies started including sophisticated encryption methods into their software and made it easy to use, because ordinary people would be too intimidated by what is required to do so on their own. We cannot depend upon Congress to rein the NSA in.
Yahoo said Thursday it will join an effort by rival Google to create an encrypted email system by next year that could make it mathematically impossible to hand over users’ messages to a court.
If they’re successful, it would mark a big step in bringing encrypted messaging — long the province of privacy hawks and conspiracy theorists — to a consumer-friendly service.
…Both companies say the encryption tool will be an optional feature that users will have to turn on.
…It will rely on a version of PGP encryption, a long-tested form of encryption that has not yet been cracked. Unlike traditional webmail services that rely on tech companies holding passwords and usernames for consumer accounts, PGP relies on each user having their own encryption key stored on their laptops, tablets and smartphones.
In an interview, Yahoo’s chief information security officer, Alex Stamos, acknowledged there are challenges ahead for bringing such a tool to the general public.
For one, Yahoo has to explain to users how PGP works and that it is not a panacea for privacy concerns. For instance, it only encrypts the content of messages — not the data on who sends and receives the messages or the subject line.
“We have to make it to clear to people it is not secret you’re emailing your priest,” Stamos said in an interview at the Black Hat security conference here. “But the content of what you’re emailing him is secret.”
The big issue is whether the government can demand the companies to hand over the encryption keys and whether they will do so. The US government forced the owner of the company Lavabit, which also had an encrypted mail service, to shut down his company because he refused the government’s request to hand over the encryption keys. But Stamos says that the government cannot that easily push a big corporation around.
“It’s not clear the Lavabit example actually scales up,” he said. “That’s very different from a publicly traded multibillion dollar company with an army of lawyers who would love to take this argument all the way to the Supreme Court.”
It will be interesting to see how the government will respond to this serious challenge to its spying powers.
Chiroptera says
The big issue is whether the government can demand the companies to hand over the encryption keys and whether they will do so.
Heh. Do you really have to ask that?
--
The US government forced the owner of the company Lavabit, which also had an encrypted mail service, to shut down his company because he refused the government’s request to hand over the encryption keys.
If I recall correctly, he voluntarily shut his business down rather than be forced to comply with the government’s request. Now that is dedication to privacy. (And I seem to recall that he still got into trouble for doing that.)
Chiroptera says
But Stamos says that the government cannot that easily push a big corporation around.
Bullshit. The people who run the large corporations are exactly the same people who move into and out of high level government positions. The question isn’t whether the government is going to force the large corporations into doing something they don’t want to do. The question is what is going to be ultimately better for US corporate executives’ fat compensation packages: allowing the corporations to sell security, or to continue to be able to spy on the rabble who might cause trouble.
Konradius says
Why do you think anyone outside the US would trust software from the USA? (or China or Russia for that matter)
Marcus Ranum says
I am concerned that these systems will provoke false confidence. The reality is that the encryption keys are held by the service and -- at the user-levels such services support -- are usually encrypted with a master key-encrypting key. That master key-encrypting key is what the FBI will grab using a National Security Letter, or the NSA will steal from the server via a code exploit in the server software.
The only way to engage in secure communications is to not trust an intermediary. Period … Sigh. I should write some articles about this. I used to teach full day classes at USENIX on how to build ad-hoc encrypting networks. That’s knowledge that probably should be getting wider play. 🙁
corwyn says
Why would an email system based on PGP have the company hold the encryption keys? That is the whole point of public key encryption. The user creates a key pair, one of which is used to encrypt the message, and it is NOT secret, it is in fact published, the other is secret and only needs to be known by the user. The company should never even have that secret key.
corwyn says
@3: As opposed to what? Sending text in the clear?
Marcus Ranum says
Reading between the lines it sounds like they’re going to somehow facilitate a key exchange between users, so the users can do endpoint to endpoint encryption. The problem with even that is traffic analysis (the art of figuring out the relationships and even command/control structure of an enemy’s communication network without reading the messages. See “Traffic analysis and the Zendian Problem” Aegean Park press) — the NSA’s PRISM program is specifically designed to perform bulk traffic analysis, having a ton of users pushing all their stuff through Yahoo! or Google makes it a hyper-analyzable hub; it is the antithesis of good communications security.
The way to really fuck the NSA up would be to instantiate a “Jihadi Pen-pal” program. In fact, it wouldn’t require very many people to do it, and/or the jihadis could do it unilaterally: begin emailing people at random, with cryptic (but not spammish) messages in arabic — or simply “hello, friend, I wish you well” — once one had a few real Emails from some real jihadis, then it’s a matter of forwarding them to any cops, congressmen, members of the intelligence community or FBI, Mossad agents, Russian oligarchs, or executives that you know. The broadest possible spread of the network would do the maximum disruption damage. Back in the cold war days, if you worked at NSA and came into contact with a Russian national, you had to report to your site security officer for debriefing; a jihadi pen-pal program would gum up and overload several procedural pathways. Support your right to free associate!!!
PS -- The swallow flies at midnight. The goats have ticks. The grass is greener on the other side.
Marcus Ranum says
I should have said:
ربما يكون هذا الشيء أكثر متعة لاستخدام كتوقيع
corwyn says
@7: “Reading between the lines it sounds like they’re going to somehow facilitate a key exchange between users, so the users can do endpoint to endpoint encryption.”
The way PGP works, the company would be a clearinghouse for *public* keys. I was unclear above, the public key of your RECIPIENT is used to encrypt the message. The recipient would use their private key (which never needs to leave their computer) to decrypt the message. They would then use your public key to respond. The company never has any private keys to turn over (unless they are idiots, corrupt, or in collusion with the government).
As has been said, none of this addresses issues with traffic analysis, for that one needs an anonymizing service.
Marcus Ranum says
The company never has any private keys to turn over (unless they are idiots, corrupt, or in collusion with the government)
Public key crypto depends on a reliable way to distribute the public keys — what you describe is a system with a built-in man-in-the-middle attack. (PGP user since version 1.1, back when we though 512-bit RSA keys were good enough)
If users are careful to check the PKs out of band, it’ll be OK. But -- guess what? Most PGP keys are exchanged in-band. 🙁
Marcus Ranum says
Put differently: public key doesn’t actually solve key management. It giveth and it taketh away. I would actually prefer to have seen Yahoo! implement something with peer-to-peer key exchanges based on a Diffie-Hellman exchange with perfect forward secrecy, somewhat like the AT&T TSD-3600 used to do.* The NSA has had a lot of time to attack PGP.
(* randomly generated key seeded by sampling line noise, exchanged over a DH to establish bulk crypto, then “forgotten” immediately after the exchange. A 5 decimal modulus of the key was displayed on an LCD so you could verify that you hadn’t been MITM’d by reading the digits to the person on the other end of the line as soon as you connected)
Jenora Feuer says
The main problem is, when you get right down to it:
-- Any truly secure system is going to be inconvenient to set up, and usually inconvenient to use. As Marcus notes, key exchange has to be at least verified out of band if you want actual security. (Otherwise Yahoo could just provide fake public keys to anybody asking for the public key of someone they’re sending email to, then decrypt the mail themselves and re-encrypt it using the actual public key for the recipient.)
-- Most people aren’t willing to sacrifice convenience (which they have to deal with all the time) for security (which doesn’t visibly affect them most of the time).
It sounds like Yahoo! is at least making it more convenient to hit a certain base level of encryption security by acting as a clearing house for keys. This is, indeed, not entirely secure, but at least it’s an improvement over what most people are doing now.
corwyn says
Not really. There is a false identity attack here, but no man-in-the-middle. That is, if the government wanted to decrypt my message to you, they could have Yahoo send me their public key, instead of yours. But then you could not decrypt the message, and the conversation goes no further.
Manually verified PGP fingerprints (transmitted on a different media) would solve even this problem, but I have no idea whether Yahoo et al expect people to be able to do that, or whether they are hiding that detail to make things ‘user friendly’.
(PGP user since a similar time, and security programmer, about 15 years out of state of the art)
corwyn says
http://xkcd.com/364/
Dunc says
But they’re also the intermediary for all subsequent messages, so they can keep both public keys, decrypt the messages in transit, and then re-encrypt them with the correct keys.
corwyn says
Yes, Sorry, I see what you are saying now. That is why you need to verify PGP fingerprints (and signatures of messages).
Lassi Hippeläinen says
@Marcus Ranum #7
Someone should write an Onion Router extension to SMTP.
corwyn says
I don’t think we should under-emphasize the effect of having everyone encrypt there email would have, even if the facility was reading every encrypted message. It would reduce the number of possible eavesdroppers from millions to one. Also, the expectation of privacy in encrypted email would immediately be obvious.