

Yahoo Bolsters Encryption Between Data Centers, Promises Encrypted Messenger - sgy
http://techcrunch.com/2014/04/02/yahoo-bolsters-encryption-between-data-centers-promises-new-encrypted-messenger-in-months/?ncid=rss

======
xarball
If the messenger encryption doesn't feature end-to-end PKI, or at the very
least some form of session-based cipher that is not sharing any private keys
with yahoo's network, it's ultimately ineffective.

If I may, yahoo -- Less preaching to the choir, and more straight up
'yes/no(s)' about who can read their personal data. If the data is accessible
to yahoo, it is no longer personal.

(It's very simple concept!)

~~~
yeukhon
> If the messenger encryption doesn't feature end-to-end PKI, or at the very
> least some form of session-based cipher that is not sharing any private keys
> with yahoo's network, it's ultimately ineffective.

Exactly how do you do that without changing how Yahoo makes money? continue to
provide what they do currently (spam filter, smart label etc, ads
recommendation)? Multiple devices? Key management?

One way is simply encrypted with user's password but Yahoo knows your
password.

Simple concept but complicated setup. I am not aware of any efficient and
effective methods yet to solve all the above. I'd happy to learn.

~~~
sgy
All traffic through Yahoo data centers will be encrypted by default. They will
be implementing security measures like HSTS and Certificate Transparency +
support for TLS 1.2, 2048-bit RSA keys and Perfect Forward Secrecy.

~~~
yeukhon
From an article:

 _Yahoo has also turned on HTTPS encryption on its home page, search queries
that run on the home page and most of its properties. Yahoo supports TLS 1.2,
Perfect Forward Secrecy and 2048-bit RSA encryption for its home page, mail
and digital magazines, Stamos said. He added that users can initiate encrypted
sessions for Yahoo News, Sports, Finance and Good Morning America on Yahoo by
typing HTTPS in the URL. He also promised an encrypted version of Yahoo
Messenger in the coming months._

I don't think OP is looking for PFS. I think he's looking for perfect
encryption end-to-end so only he can decrypt the content, which means Yahoo
will only receive an encrypted payload which Yahoo! cannot decrypt.

