[csoghoian]

Yahoo still doesn't use HTTPS by default, for email or search.

Not using HTTPS is huge, gift-wrapped present to the NSA. It also means that the NSA can get Yahoo users' communications without even having to bother Yahoo, as they can get it with the assistance of backbone networks. Lower legal compliance costs for Yahoo, and the NSA gets what they need.

Seriously, Yahoo is awful on privacy and security. Don't reward them with your business.

[enko]

Hm, I think the HTTPS thing is overblown for sites that are hosted in the US. Almost no large sites do HTTPS termination on the actual app servers; it would be the simplest thing in the world to put the collection device behind the HTTPS endpoint.

Why bother trying to piece together data flows over a bunch of disparate backbone networks when you can just hook up a collector at the wellspring? I'd sure they'd be delighted to be able to tick off that whole company as "done", and set the verizon taps etc to ignore anything to them, secure in the knowledge they were getting it all elsewhere.

[mjolk]

You're thinking about it incorrectly. While termination at a load balancer is common, at least then you're in the company's network by the time your data is being transmitted in the clear.

It's far different for traffic to be plaintext from a load balancer backend, switch, to server interface than over X number of hops.

[enko]

> you're in the company's network

Yes, of course. What's incorrect?

I'm just saying that if you have unlimited ability to make secret tapping demands from whoever you want, you might as well make it easy for yourself and just go straight to the source.

[mjolk]

>you might as well make it easy for yourself and just go straight to the source.

I feel as if I'm not fully understanding you. Are you saying that because you expect your traffic to be read by a government agency, you might as well let any/everyone see your data?

[enko]

Sorry. I am evidently not explaining myself well.

I am saying that people seem to be putting a lot of trust into HTTPS to shield them from NSA monitoring. If I was the NSA, and could just tap whatever I wanted, I'd obviously set up my tap on the other side of the encrypted tunnel.

And let's not exaggerate. Only a very few organisations would have any ability to read your data even if sent unencrypted, barring of course wifi. It's simply not true that "any/everyone" can see your data if you're on a private LAN at home.

That being said, of course I prefer HTTPS. I just have no illusions that it's going to stop someone who can just waltz into the DC holding an NSL. There's no security from someone with physical access to the network.

[s_q_b]

I think NSA is cognizant of the fact that they could lose the FISA authorization to collect from endpoints at the internet services sometime soon, while they're more likely to retain access to the backbones.

It's bass ackward, since access to the trunk lines lets you read everything. However, most people don't understand what internet backbones are. They do know what PRISM, Facebook, Yahoo, and Google are.

As such, I can see HTTPS providing some limited security from dragnet surveillance, but it certainly wouldn't help if you caught their attention. Remember, NSA can straight up break weak encryption, and SSL/TLS is probably in that category.

[enko]

s_q_b, you are hellbanned. I can't reply directly.

I don't really believe the NSA can effortlessly break TLS at will. That just seems too far fetched. What kind of alien supertechnology do people suppose they have?

I prefer Occam's razor. If the NSA are interested in XYZ.com, they'll just go to XYZ.com's DC and put a damn traffic splitter on their network. There wouldn't be too many XYZ.coms before they covered a huge majority of the kind of traffic they're interested in.

Sure, they'll do the backbone listening as well, just because they can, but most of the time I don't see why they'd bother. Sure they could lose the authorisation. An asteroid could hit the earth. In the meantime...

edit: s_q_b's hellban seems even less justified than usual.

edit 2: nice work removing the hellban, mysterious admin person. Was not justified.

[somesay]

If NSA has to ask Google to get into their datacenter, it's already as bad as if Google gives them the data (or is forced to do so).

Also some companies, e.g. CloudFare has it documented somewhere, also use TLS 1.2 in their internal network.

[unicornporn]

By default, no. But you can easily enable it. At least for mail/calendar/contacts.

https://www.eff.org/deeplinks/2013/01/yahoo-mail-makes-https...

[somesay]

In fact, Google is the only major company who uses TLS for mail transfers: http://i.i.cbsi.com/cnwk.1d/i/tim2/2013/06/21/Webmailencrypt...