Since the beginning of this year, Yahoo has had several good news for its customers: Yahoo Mail got HTTPS on by default, and the company began encrypting all the traffic moving between its data centers.
At Black Hat in Las Vegas on Thursday, Yahoo CISO Alex Stamos has announced that the company will be implementing end-to-end encryption for Yahoo Mail, and will do so by using a modified version of the End-to-End browser plugin created by Google.
The company has hired privacy engineer Yan Zhu – formerly an engineer at the Electronic Frontier Foundation – to make the necessary changes and implement the solution by 2015. She previously worked, among other things, on EFF’s HTTPS Everywhere browser extension.
The goal is to make encrypting your email so easy that users will happily use the option, but Stamos says that they will, nevertheless, have to educate users a little bit, and definitely make them understand that while the contents of the encrypted message are safe, the recipient of the email is and will be known.
Another great news for worried users is that Yahoo has no access to the encryption keys, as the messages are encrypted on the user’s computers before being sent. This also means that law enforcement and intelligence agencies can’t demand the keys from the company.
This is bound to be a good selling point for Yahoo, and Stamos also pointed out that they do no expect this change to have an adverse impact on revenue. Yahoo won’t be able to scan encrypted messages for advertizing purposes, it’s true, but encrypted messages will not be a default.
“The ticket to Las Vegas that United emails you — and that we use to display Vegas ads to you — is never going to be encrypted,” he pointed out. Other, more private messages don’t have much commercial value.