Google, Yahoo partner up on end-to-end encrypted web mail
Email client competitors Google and Yahoo are declaring a temporary truce and working together so both companies' end-to-end email encryption technologies line up with each other.
Last week, Alex Stamos, chief information security officer for Yahoo, announced at the Black Hat Security Conference in Las Vegas that Yahoo and Google will partner on coordinating email encryption systems so email traffic can move between both company's customers in a fully-encrypted state.
In a post-Edward Snowden, but still NSA world, hackers, corporate spies, and governments have had it far too easy when intercepting and reading private email messages, either in transit between servers or on email provider servers in data centers.
The only way to provide complete privacy and security for emails prior to delivery to intended recipients is to encrypt them securely from, you guessed it, end-to-end; that is, during transmission from senders, during layovers on email servers, and during subsequent re-transmission to end users. Only when its legal recipient opens an email can it be decrypted and read.
This works fine if an email is sent entirely through one email client, say from Gmail account to Gmail data center and from there to a receiving Gmail account. Should an email go from a Gmail account to a Hotmail/Outlook, or Yahoo, or ISP-provided account, etc. the email will not remain encrypted during the bulk of its journey. Other email clients may not even be able to process an email that has been encrypted with a proprietary technology. Microsoft, though, has released their own encryption system and it may make sense for the Redmond giant to work together with Google and Yahoo.
When the project is completed, estimated to be in 2015, customers of both companies will have the option of turning on the encryption feature in their email programs or in continuing to send email unprotected. Until end-to-end encryption is a fait accompli with the multitude of other email clients besides Google and Yahoo, problems could arise when sending encrypted emails through providers that are not on board with the premise.
At the core of the jointly developed technology will be PGP encryption, a proven way of encrypting data that has not yet been defeated, as far as we know. It shuns the traditional password-and-username system for embedded encryption keys in computers and mobile devices. But it only encrypts the content of an email, not the sender's or recipient's name or the subject line.
This technology may not be user-friendly at first. Stamos, speaking at Black Hat, said, "We have to make it clear to people that it is not secret that you're emailing your priest. But the content of what you're emailing him is secret."
Not happy about any of this are government and law enforcement organizations that may need access to the content of emails that ramble through Google or Yahoo mail systems, and may face a brick wall when denied that access. Google and Yahoo could legitimately claim they have no way of reading the emails, either. See everybody in court, someday.