March 15, 2015
Yahoo sees 'end to end' email encryption by year-end
Maybe, if both of them are using Yahoo for their mail host.
But as a general problem it runs into the same issue as everything else: What key do you use for encryption, and how does the receiver get it without anyone else getting it?
Approximate answer: everyone publishes a public key. If you want to send email to someone, you use his public key to encipher a session key, used to encrypt the email. The encrypted session key is included in the email message.
When he receives it, he uses his private key to decrypt the session key, then uses that to read the email message.
All well and good, except for one thing: How do you get his public key, and how can you be sure you got the right one? That's where this all breaks down. One way or another, no matter how you design this part of it, there's a low/no security transaction which can be snooped or faked by someone bad (or NSA).
End-to-end encryption works better if you exchange a lot of emails with one person and can manually and reliably set up the keys at the beginning of the relationship.
But for a general n-to-n system, to support hundreds of millions of people, and allow encryption of messages sent to abitrary receivers for the first time, there is no way to get there from here.
Posted by: Steven Den Beste in Weird World at
08:12 PM
| Comments (9)
| Add Comment
Post contains 248 words, total size 2 kb.
-j
Posted by: J Greely at March 16, 2015 08:58 AM (1CisS)
Posted by: Jordi Vermeulen at March 16, 2015 12:01 PM (9BWts)
Posted by: Steven Den Beste at March 16, 2015 06:37 PM (+rSRq)
Sadly, because they have to implement secure webmail on top of SSL, they have to code around just that sort of spyware. Google calls it out in the threat model document for their solution (which the Yahoo stuff turns out to be a fork of).
-j
Posted by: J Greely at March 16, 2015 08:37 PM (ZlYZd)
Posted by: Pete Zaitcev at March 17, 2015 10:27 AM (RqRa5)
Seriously, what's a newly-hired accountant supposed to think when Chrome throws up the words "Attackers might be trying to steal your information from intranet.foobar.com (for example, passwords, messages, or credit cards)" and someone in IT says "no, just click okay, it's fine?
For all the usability flaws of PGP and the web of trust, at least they don't make it sound like a felony to install a cert.
-j
Posted by: J Greely at March 17, 2015 12:42 PM (ZlYZd)
Posted by: CatCube at March 18, 2015 05:17 PM (fa4fh)
Posted by: Steven Den Beste at March 18, 2015 06:04 PM (+rSRq)
-j
Posted by: J Greely at March 18, 2015 10:06 PM (ZlYZd)
Enclose all spoilers in spoiler tags:
[spoiler]your spoiler here[/spoiler]
Spoilers which are not properly tagged will be ruthlessly deleted on sight.
Also, I hate unsolicited suggestions and advice. (Even when you think you're being funny.)
At Chizumatic, we take pride in being incomplete, incorrect, inconsistent, and unfair. We do all of them deliberately.
How to put links in your comment
Comments are disabled.20 queries taking 0.0289 seconds, 26 records returned.
Powered by Minx 1.1.6c-pink.