Last week saw Yahoo implement encryption for data in motion between data centres as well as plans to offer a more secure user experience.
In the statement, Alex Stamos, chief information security officer at Yahoo said that Yahoo has now fully encrypted traffic moving between Yahoo data centres, as well as adding HTTPS encryption to all search enquiries “and most Yahoo properties”.
Stamos, who made the post marking only his fourth week in the job, said: “We implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many of our global properties such as Homepage, Mail and Digital Magazines. We are currently working to bring all Yahoo sites up to this standard.”
Also due is a new, encrypted, version of Yahoo Messenger in the next few months. “One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure,” Stamos said. ”Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem.
“Our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy.”
The move has undoubtedly come in response to news from last year which claimed that the US National Security Agency (NSA) had tapped data traffic that was moving between Google’s data centres. Talking to IT Security Guru, Terence Spies, CTO of Voltage Security, said that Yahoo and lots of other people are responding to what happened with Google, and he said that the two events that have motivated people over the last couple of months have been the NSA disclosures and the Target breach. “This really changed the game a lot in terms of people not necessarily starting encryption projects from scratch, but definitely adding more priority and intensity to getting those projects done,” he said.
Spies said that he thought that this was good news, as encryption is one of those things that is easy to put off and when it works, nothing happens. “This is true of a lot of security technology, and people are finally realising that it is essentially the only real way you are going to get to secure data that doesn’t have to be updated all of the time as you move through things.”
When I first learned about how encryption works having made the leap into IT security journalism back in 2008, I fou
nd the concept of locking and unlocking quite hard to understand and in recent conversations, the story has been less on encryption itself, and more on key management. However, as Spies said, this is technology designed and intended to be invisible, but as the stories on infiltration of communication have emerged, the need to secure communications have risen inexplicably for businesses.
Spies colleague Mark Bower, VP of product management and solutions architecture at Voltage Security, said it was great “to see more emphasis on encryption as a response to snooping and the risks to data in the increasingly hostile threat landscape”.
However he asked if end-to-end email encryption means protection from sender to recipient without security gaps, as adding SSL, VPN or protecting network traffic internally at Yahoo doesn’t do that.
He said: “Think about email recipients – and the message in their inbox, their replies and forwards – those are far beyond where SSL stops inside Yahoo, or to and from a Yahoo mail user. Recipients are one of the ‘ends’ – as are senders. End-to-end encryption also implies that Yahoo doesn’t have access to email on its servers – is that really the case here given Yahoo’s business is about mining data on its servers?
“If an organisation need to scale to Yahoo or Google’s scale, and encrypt email end-to-end without complicating things for end-users and requiring large operational teams, then newer public key methods like Identity-Based Encryption (IEEE 1363.3 standard). IBE lays the foundation for ease of use and security without the pain of the older end-user certificate management approaches that have proven to be too complicated for end users.”
With more than 68 million users of IBE-based solutions, Bower said that this should be a consideration as “IBE solves the critical key management and complexity problems that plague traditional end-to-end solutions and already proven in large scale implementations”
It seems that any move to offer more secure communications is a positive one, and Stamos has been tasked with ensuring that Yahoo does not incur more bad headlines.
The problems is, as Bower pointed out, is that encryption changes and as new standards are issued in the wake of older algorhythms being dismissed, businesses are forced to play catch-up. However, how far ahead are those who watch and seek to break?