Yahoo to provide PGP encryption for mail

One of the world's largest web providers, Yahoo, will provide its email customers with digital signing and encryption of messages through an extension of the Pretty Good Privacy (PGP) program.

Alex Stamos, Yahoo CISO.

Yahoo chief information security officer Alex Stamos made the announcement at the annual Black Hat security conference in Las Vegas.

Stamos told iTnews that the project was still some way off.

"We are working to design a key server architecture that allows for automatic discovery of public keys within Yahoo.com and other participating mail providers and to integrate encryption into the normal mail flow," Stamos said.

While effective as a personal encryption solution, PGP is notoriously difficult to use with public/private key pairs. Stamos believes Yahoo can nevertheless make it work for non-technical users.

"It won’t be easy, but I think we can design a user experience that makes encrypting messages a one-click option for many people," he said.

Yahoo will use a fork of Google’s End to End OpenPGP plugin that is currently in development.

“We are using the same crypto core with a different front-end, and will look at unifying with Google’s plugin once the dust settles,” Stamos said.

Stamos was reluctant to announce a firm date for the PGP functionality for Yahoo Mail, but said the company will release the first source code for its version of the extension in the northern hemisphere this autumn.

The goal is to have the full product ready in 2015, Stamos said.

He declined to detail how government intelligence agencies and law enforcement would react to Yahoo Mail customers being able to individually encrypt messages, something that would make interception of their content potentially impossible.

Yahoo follows the likes of Google, Facebook and Microsoft, who also recently announced they would encrypt internal traffic in response to the Snowden spying revelations.