Yahoo – DoGoodSoft's Official Blog

Google and Yahoo Encrypting Ad Network Connections

Google and Yahoo in separate announcements said they will individually encrypt ad network connections to reduce bot traffic and other types of ad fraud. The news coincides with the release of Malwarebytes Labs findings last week. Researchers found malvertising in Flash ads involving the DoubleClick ad network.

The two companies have support. The Interactive Advertising Bureau (IAB) continues to push the adoption of HTTPS ads and support encryption. In March, the IAB put out a call for the industry to adopt encryption. The industry trade group said many ad systems support HTTPS, but a member survey suggests that only 80% support the protocol. They called on the entire advertising supply chain to adopt practices, from ad servers and beacons to data partners and brand safety and verification tools.

Google said the majority of mobile, video, and desktop display ads on its Google Display Network, AdMob, and DoubleClick networks will become encrypted by June 30. Search on google.com is encrypted for a vast majority of users and the copany continues to work toward encrypting search ads across its systems.

YouTube ads have been encrypted since the end of last year, along with all searches, Gmail, and Drive. By the end of June, advertisers using AdWords and DoubleClick will serve HTTPS-encrypted display ads to all HTTPS-enabled inventory.

Yahoo VP of Revenue Management and Ad Policy James Deaker describes in a blog post what he calls “perhaps the largest-ever transition to SSL encryption for any publisher with display ads.” Yahoo recently implemented an end-to-end encryption extension for Yahoo Mail,” and strengthening security everywhere else along the advertising supply chain will help to create a safer Internet.

Next week, Yahoo will host a Trust UnConference in San Francisco, bringing together industry experts to discuss how to build safe products.

Yahoo Rolls Out End-To-End Encryption For Email

Back in 2012 (pre-Snowden!), we wrote about why Google should encrypt everyone’s emails using end-to-end encryption (inspired by a post by Julian Sanchez saying the same thing. Since then, securing private communications has become increasingly important. That’s why we were happy to see Google announce that it was, in fact, working on a project to enable end-to-end encryption on Gmail, though it was still in the early stages. In December of last year, Google moved that project to Github, showing that it was advancing nicely. As we noted at the time, one interesting sidenote on this was that Yahoo’s Chief Security Officer, Alex Stamos, was contributing to the project as well.

Thus it’s not surprising, but still great to see, that Stamos has now announced the availability of an end-to-end encryption extension for Yahoo Mail (also posted to Yahoo’s Github repository). It appears to function similarly to existing third-party extensions (like Mailvelope), but it’s still good to see the big webmail providers like Yahoo and Google taking this issue more seriously. It’s still not ready for prime time, and it’s unlikely that either provider is going to make this a default option any time soon, but offering more, better (and more user friendly) options to give everyone at least the option of doing end-to-end encryption is a very good sign.

It also raises a separate issue that I think is important: many have argued that companies like Yahoo and especially Google would never actually push for end-to-end encryption of emails, because it takes away the ability of those companies to do contextual advertising within those emails. But that’s an exceptionally short-sighted view. If Google, Yahoo and others don’t do enough to protect their users’ privacy, those users will go elsewhere, and then it won’t matter whether or not the emails are encrypted, because they won’t see them anyway. Focusing on the user first is always going to be the right solution, and that includes encrypting emails, even if it means slightly less ad revenue in the short term. Hopefully, Google, Yahoo and others remember this simple fact.

Tired of forgetting your password? Yahoo says you don’t need one any more

Tired of forgetting your password? Yahoo says you don't need one any more

Passwords: easily forgotten, but also easily guessed. It’s a bitter irony that minutes can be spent racking brains trying to remember whether a required security question answer is a pet’s name, first school or place of birth – meanwhile a cyber-criminal is merrily typing in a person’s favourite colour and relieving bank accounts of hard-earned wages.

Well, now Yahoo might have made the process easier – at least when it comes to accessing email.

The Californian tech giant is rolling out “on-demand” email passwords, based around phone notifications, and eliminating entirely the need to memorise a fixed password.

Yahoo Mail now offers a service similar to “two-step verification”, a security measure employed by other email providers, but the difference is the removal of the first step.

The password system is opt-in and can be accessed from Yahoo Mail’s landing page. Photograph: Yahoo screengrab

Two step verification works by a user logging in with their usual fixed password, after which the email provider sends a unique code to their mobile phone, which is then entered on the login screen, allowing the user to access their email account.

Yahoo’s new security process will remove the need for users to enter a fixed password first, and instead just send a four-letter password to a user’s phone via text.

Unveiling the service at the South by Southwest festival in Austin, Texas, Yahoo’s vice president of product management for consumer platforms Dylan Casey said: “This is the first step to eliminating passwords. I don’t think we as an industry has done a good enough job of putting ourselves in the shoes of the people using our products.”

A blog post written by the company’s director of product manager, Chris Stoner, explains the steps:

1. Sign in to your Yahoo.com account.

2. Click on your name at the top right corner to go to your account information page.

3. Select “Security” in the left bar.

4. Click on the slider for “On-demand passwords” to opt-in.

5. Enter your phone number and Yahoo will send you a verification code.

6. Enter the code and voila!

The “on-demand” password service is opt-in and currently only available in the US.

Also announced at the festival was Yahoo’s forthcoming project on end-to-end encryption. Based on Google’s alpha Chrome PGP encryption plugin, Yahoo hopes to make the service available in autumn 2015.

Yahoo puts email encryption plugin source code up for review

Yahoo released the source code for a plugin that will enable end-to-end encryption of email messages, a planned data-security improvement prompted by disclosures of U.S. National Security Agency snooping.

The company is asking security experts to look at its code, published on GitHub, and report vulnerabilities, wrote Alex Stamos, Yahoo’s chief information security officer, in a blog post.

The plugin should be ready by year end, wrote Stamos, who gave a presentation on Sunday at the South by Southwest conference in Austin, Texas.

Yahoo and Google have been collaborating to make their email systems compatible with end-to-end encryption, a technology based on the public-key cryptography standard OpenPGP. End-to-end encryption is not widely used, as it can be difficult for non-technical users to set up.

The technology encrypts a message’s contents so only the sender and recipient can read it. A message’s subject line is not encrypted, however, and neither is the routing metadata, which can’t be scrambled since it is needed in order to send a message.

A video included in the post by Stamos showed how someone could set up an encrypted message much faster using the company’s plugin versus using GPG Suite, a software package for sending encrypted email on Apple’s OS X.

Yahoo vowed to improve its data security after documents leaked by former NSA contractor Edward Snowden showed the spy agency had penetrated the company’s networks as well as those of many others, including Google.

Email encryption is one of a number of security improvements Yahoo and Google have undertaken.

In March 2014, Yahoo began encrypting traffic flowing between its data centers after information from Snowden indicated the NSA had access to those connections.

Google also encrypts connections between its data centers. Like Yahoo, the company has published its Chrome extension for end-to-end encryption on GitHub as well.