Yahoo has announced that it is to introduce end-to-end (e2e) encryption for its webmail service Yahoo Mail.
In a blog post, Yahoo CISO Alex Stamos said that the e2e function is enabled via a plugin, and at this stage it is rolling out the source code for feedback from the wider security industry, but the goal is to provide an intuitive e2e encryption solution for all users by the end of the year.
He said: “Just a few years ago, e2e encryption was not widely discussed, nor widely understood. Today, our users are much more conscious of the need to stay secure online. There is a wide spectrum of use for e2e encryption, ranging from the straightforward (sharing tax forms with an accountant), to the potentially life-threatening (emailing in a country that does not respect freedom of expression).
“Wherever you land on the spectrum, we’ve heard you loud and clear: We’re building the best products to ensure a more secure user experience and overall digital ecosystem.”
He also announced that the plug-in source code has been released on GitHub. “We encourage other mail providers to build compatible solutions, and for security researchers to take a look and report any potential vulnerabilities they find via our Bug Bounty program,” he said.
TK Keanini, CTO of Lancope, praised the innovation, saying that we need more like this with authentication. “Yahoo knows that the most personal device on a person these days is their mobile phone and let’s not stop here, let’s keep innovating even more techniques to raise the cost to our attackers,” he said.
Jared DeMott, principal security researcher at Bromium, said: “If companies are serious about better login security, the default choice will need to be modified. In light of that, it is good to see Yahoo trying to address the password problem.
“In engineering, it’s about balancing the gains against the losses. Time will tell if this is a better choice. Certainly when Yahoo first started offering email, many users would not have had a mobile to do two-factor with but now, many will. Balancing privacy, easy-of-use and recovery, against security is always the trick.”
