Ars is reporting that Yahoo will offer a browser plugin to offer end-to-end PGP encryption. Speculation is that it will be a JavaScript plugin, similar to what Google offered.
The problem with any of these plugins is that the browser (or at least the plug in) will have access to your private key. Nobody is quite sure that anything developed for a browser can be trusted not to leak your private key, or if Yahoo or Google could be compelled to harvest keys just as other companies like Lavabit were forced to turn over their own ssl keys.
The Google plugin was released in Beta in June.
Both would seem to get over the learning curve and offer opportunistic encryption when ever both parties are using the same service. Whether or not the plugins will try to fetch public keys from key servers is yet to be determined.
So will you trust either of these plugins?
Would you switch to reading mail in a browser for this feature?
(Score: 4, Informative) by hoochiecoochieman on Friday August 08 2014, @04:38PM
No
(Score: 2) by ngarrang on Friday August 08 2014, @04:43PM
Smart users will say no.
The average user will think they are being safer by using it, not knowing about the critical exposure flaw that being a browser plug-in can be.
(Score: 2, Insightful) by pendorbound on Friday August 08 2014, @07:19PM
As compared to sending everything in the clear, the average user will be safer. Completely safe? No. Somewhat safer than before, probably.
As for compelled disclosure of keys, if you're interesting enough to anyone with power, there's no need. [See: $5 wrench]
(Score: 2, Insightful) by Anonymous Coward on Friday August 08 2014, @07:34PM
> Completely safe? No. Somewhat safer than before, probably.
If there is one stereotype I hate about geeks it is black-and-white thinking.
It is always the loudest idiots who can't grasp that the perfect is the enemy of the good.
(Score: 3, Funny) by cmn32480 on Friday August 08 2014, @04:44PM
They developed the plugin so that only THEY can mine your data... says the guy posting from Chrome.
"It's a dog eat dog world, and I'm wearing Milkbone underwear" - Norm Peterson
(Score: 0) by Anonymous Coward on Sunday August 10 2014, @11:30PM
SO happy to see that Normism 'in print' again.
It's the ONLY one I still remember to this day! :D
Has someone cut all these into a YouTube clip? I'd watch it! (^_^)
I saw one done for Ichy and Scratchy from THE SIMPSONS.
Matt Groening was right--I & S is only good in small doses of
hilarious ultraviolent absurdity. Any more and it doesn't work
and will likely make you uncomfortable.
Note:
Filter error: Please don't use so manny caps. using caps is like yelling!
Which is the POINT of a Normism! :P
(Score: 4, Insightful) by hoochiecoochieman on Friday August 08 2014, @04:46PM
Yahoo wants me to install a browser plugin plus some local binaries so I can read my webmail. WTF? Is HTML + Javascript not enough?
What about Android? It wants me to install an app to read my mail. It used to let me refuse and instead read it in a mobile site, but lately, when I click on the "mobile website" link it hangs forever. When trying to install the app, it asks me for permission for everything and then something else, which I can't imagine why they would ever need just to show me my email. And they've been adding more permissions to it. Fortunately they aren't asking for permission for anal probes, but I fear they'll come up with that one too, eventually.
Trust Yahoo? No fucking way.
(Score: 3, Informative) by Nerdfest on Friday August 08 2014, @06:23PM
Doesn't Yahoo support IMAP and POP? Use a different mail app, ideally open-source. I like K9, which also has a nice PGP plug-in. Why trust someone when you don't need to.
Unrelated to the parent post, but related to the topic ... is the browser plug-in open-source? If not, why not? When we talk about trust, we really should be talking about open source software. You can't trust closed source software, and even open-source must be reviewed.
(Score: 2) by frojack on Friday August 08 2014, @06:48PM
Plus 1 for K9 and APG (PGP) plugin.
According to a recent article [campaignmonitor.com] most people are reading mail on mobile devices. Of course these devices leak like sieves and we assume both K9 and APG are secure, but the permission system on android is less than ideal.
IMAP on Yahoo is flakey at best. They favor their own client, but K9 works.
Part of the problem is IMAP.
People storing tons of mail on other people's servers, where historically no warrant was required [cnet.com] to obtain it if it had been there for 180 days. The 180-day rule stems from the Electronic Communications Privacy Act, which was adopted in the era of telephone modems, BBSs, and UUCP links, and long before gigabytes of e-mail stored in the cloud was ever envisioned.
Supposedly this has changed with recent court rulings but there are conflicting rulings in different areas. Congress is still dithering [propublica.org] with different bills in house an senate.
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by Nerdfest on Friday August 08 2014, @07:48PM
If you use Android (without ART runtime), have a look at XPrivacy in the Xposed framework. It allows very fine-grained control over permissions ... too fine for most probably. I'm hoping someone manages to implement the same thing under ART.
(Score: 4, Interesting) by tynin on Friday August 08 2014, @04:50PM
Not that I've looked too hard, but I've not heard any mention of key management, which always ends up being the hard part in this equation. Sure, we of the nerdier persuasion can encrypt and sign a message for a long time now. But teaching grandma to keep her private key safe as well as accessible hasn't been something I've been able to accomplish.
(Score: 1, Informative) by Anonymous Coward on Friday August 08 2014, @05:13PM
1. Leaked Files: German Spy Company Helped Bahrain Hack Arab Spring Protesters
https://firstlook.org/theintercept/2014/08/07/leaked-files-german-spy-company-helped-bahrain-track-arab-spring-protesters/ [firstlook.org]
2. /u/PhineasFisher leaks 40GB of data taken from security firm Gamma International, proving how their software FinFisher was used by Middle Eastern governments to spy on dissidents and journalists.
http://www.reddit.com/r/bestof/comments/2cypny/uphineasfisher_leaks_40gb_of_data_taken_from/ [reddit.com]
3. Gamma FinFisher hacked: 40 GB of internal documents and source code of government malware published
http://www.reddit.com/r/technology/comments/2ct6kj/gamma_finfisher_hacked_40_gb_of_internal/ [reddit.com]
4. Gamma International Leaked
http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked/ [reddit.com]
5. Also:
https://news.ycombinator.com/item?id=8143232 [ycombinator.com]
(Score: 1, Funny) by Anonymous Coward on Friday August 08 2014, @05:34PM
"Seriously guyz we're super secure now!!"
I've had more friends with Yahoo accounts hacked and turned in spam cannons than I can count over the years. There is just no way I'd ever even begin to trust Yahoo with anything security related.
(Score: 3, Insightful) by Lagg on Friday August 08 2014, @05:41PM
I can't even trust a seemingly well meaning and trustworthy project like Keybase [keybase.io] with my private key despite them open sourcing everything they've done. The idea that Google and especially Yahoo expect me to trust them is just outright laughable. Talk about ruining the point of a PRIVATE KEY.
http://lagg.me [lagg.me] 🗿
(Score: 3, Insightful) by kaszz on Friday August 08 2014, @05:46PM
Yahoo has an even lesser spine than Google so why trust an NSL:able corporation with a setup that may be compromised at will anytime? And the browser environment lacks the determinism to really protect. It's not even really worth the opportunistic protection level. It's crap - and smart people know this.
Security is not comfortable - deal with it. Or be rejected into the heap of peons.
(Score: 3, Insightful) by DrMag on Friday August 08 2014, @05:52PM
Why would I switch for this feature when it's already available in the local client I use, without the concern of my key being stored in some unknown, possibly shady server? At best, Yahoo is adding a feature that has kept browser mail clients behind the curve for some time.
(Score: 0) by Anonymous Coward on Saturday August 09 2014, @02:57AM
This. Why is it that every time I see an article on mail encryption, no one seems to know that S/MIME is built into every major mail program out there, and key-generating routines into every major browser? It's built into Outlook, Apple's Mail both OSX and iOS, Thunderbird, Kmail (albeit with a bit of pain), and pretty much anything except webmail; it's a standard, it's interoperable, and it's already in place.
It's ludicrously easy on a Mac to get a free S/MIME cert and install it in Keychain, at which point Mail will pick it up automatically and use it for the corresponding e-mail account. In fact, at this point I'd be only mildly impressed if Apple went the extra mile and made generating an S/MIME key part of the initialization process for new computers or iCloud accounts. They'd just have to set themselves up as a signer and re-use a lot of code that's already in place. Defaulting all the Mac users to using secure mail wouldn't take much effort, although it would probably piss off some providers that like to snoop.
On the other hand, trying to set up S/MIME with pine is one of the most painful experiences imaginable. The *nix systems have some room for improvement in user experience here.
(Score: 0) by Anonymous Coward on Friday August 08 2014, @06:48PM
I think encryption is just for the 1% to keep their dirty secret and insider information.
for the other 99% it is only useful to not become victims of bored lackeys ("lackeys" doesn't have 3 letters) of the 1% doing remote media, mind and general-control by digging into private information ... they have a scoreboard with:
1) went on shooting rampage after successful psi-ops deployment.
at the top?
(Score: 1) by antonovich on Saturday August 09 2014, @09:40AM