Yahoo puts email encryption plug-in source code up for review

Yahoo puts email encryption plug-in source code up for review

148470916-100371190-carousel.idge

Yahoo released the source code for a plug-in that will enable end-to-end encryption of email messages, a planned data-security improvement prompted by disclosures of U.S. National Security Agency snooping.

The company is asking security experts to look at its code,published on GitHub, and report vulnerabilities, wrote Alex Stamos, Yahoo’s chief information security officer, in a blog post.

The plug-in should be ready by year end, wrote Stamos, who gave a presentation on Sunday at the South by Southwest conference in Austin, Texas.

Yahoo and Google have been collaborating to make their email systems compatible with end-to-end encryption, a technology based on the public-key cryptography standard OpenPGP. End-to-end encryption is not widely used, as it can be difficult for non-technical users to set up.

The technology encrypts a message’s contents so only the sender and recipient can read it. A message’s subject line is not encrypted, however, and neither is the routing metadata, which can’t be scrambled since it is needed in order to send a message.

A video included in the post by Stamos showed how someone could set up an encrypted message much faster using the company’s plug-in versus using GPG Suite, a software package for sending encrypted email on Apple’s OS X.

Yahoo vowed to improve its data security after documents leaked by former NSA contractor Edward Snowden showed the spy agency had penetrated the company’s networks as well as those of many others, including Google.

Email encryption is one of a number of security improvements Yahoo and Google have undertaken.

In March 2014, Yahoo began encrypting traffic flowing between its data centers after information from Snowden indicated the NSA had access to those connections.

Google also encrypts connections between its data centers. Like Yahoo, the company has published its Chrome extension for end-to-end encryption on GitHub as well.