Yahoo to encrypt webmail sessions by default starting January

Yahoo plans to make HTTPS connections standard for all users starting Jan. 8

Yahoo will start encrypting the webmail sessions of its users in early 2014 by making HTTPS (Hypertext Transfer Protocol Secure) standard for all Yahoo Mail connections.

Security experts, privacy advocates, and users have asked Yahoo for this feature for a long time. Other major webmail providers already offer it.

[ Learn how to protect your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

In November 2012, the Electronic Frontier Foundation with other privacy, security and human rights organizations, sent a letter to Yahoo CEO Marissa Mayer asking the company to add HTTPS support to its communication services, including email and instant messaging.

HTTPS, which combines the HTTP Web communications protocol with the Secure Sockets Layer (SSL) encryption protocol, is widely used to secure connections between Web users and websites, and prevents sensitive data from being intercepted and read by unauthorized parties while in transit.

Yahoo started rolling out a new Web interface for Yahoo Mail late last year that provided support for full-session HTTPS, but only as an option. In order to enable the feature, users can go in their email account settings and check the "Use SSL" box in the "Security" section.

"Starting January 8, 2014, we will make encrypted https connections standard for all Yahoo Mail users," Jeffrey Bonforte, Yahoo's senior vice president of communication products, said Monday in a blog post. "Our teams are working hard to make the necessary changes to default https connections on Yahoo Mail, and we look forward to providing this extra layer of security for all our users."

The move comes at a time when there is increased discussion about privacy and security online following revelations that the U.S. National Security Agency and the intelligence agencies of other countries are running extensive electronic surveillance programs.

Some of the NSA programs revealed by documents leaked by former NSA contractor Edward Snowden involve the upstream interception of Internet traffic as it passes through global networks, as well as data collection from online services providers including Yahoo, Microsoft, Google, Apple, Facebook, AOL and others.

The Washington Post reported Tuesday that the NSA collected online address books in bulk from Yahoo, Hotmail, Facebook, Gmail, and other email and chat programs at Internet access points controlled by foreign telecommunications companies and allied intelligence services.

This type of upstream data collection is something that HTTPS can potentially prevent, as long as the implementation is strong enough. The service provider might be later compelled to hand over the decrypted data at its end, but at least in that case the interception would be done with its knowledge.

In addition to preventing bulk data collection by government agencies, HTTPS can also prevent hacker attacks, like the theft of authentication cookies over insecure wireless networks or through cross-site scripting attacks.

"As one of the world's most popular free webmail services providers, Yahoo gained unwelcome attention from cybercriminals in the past months resulting in XSS attacks that ended in cookie theft and subsequent account abuse," said Bogdan Botezatu, a senior e-threat analyst at Bitdefender. "The introduction of SSL will likely limit this behavior, among other dangers."

Botezatu believes that all types of digital communications should have been switched to HTTPS/SSL a long time ago. However, even though Yahoo will be late to enable it compared to other webmail providers, its decision is still salutary, he said.

Google implemented full-session HTTPS as an optional setting in Gmail back in 2008 and made it standard at the beginning of 2010. Microsoft added the option in Hotmail in November 2010 and enabled it by default for its Outlook.com webmail service in 2012.

Twitter starting rolling out HTTPS by default in August 2011 and Facebook in November 2012. Both services supported HTTPS as an option since early 2011.

The next step for Yahoo would be to switch Yahoo Messenger connections to SSL by default as well, Botezatu said. "In some regions, Yahoo Messenger usage still outnumbers other instant messaging clients, and customers rely on it for all sorts of communication, from personal to business, but these conversations are still sent in plain text, which makes it easier to snoop on by unauthorized parties."

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies