"Access is encouraged to see that Yahoo! is now supporting HTTPS globally for its mail and messaging services, an important and overdue step for the security and privacy of its users," AccessNow.org, a digital freedom advocacy group that also signed the November letter, said Friday in a blog post. "Pending technical analysis of its implementation, we believe this decision by Yahoo! responds to some of the concerns raised by civil society and security experts, and signals a continuing strengthening of their services' privacy protections."
Yahoo's competitors have supported full-session HTTPS for some time. Google implemented full-session HTTPS as an optional setting in Gmail back in 2008 and at the beginning of 2010 it turned it on by default for all Gmail users. Microsoft added the option in Hotmail in November 2010 and the new Outlook.com webmail service uses it by default.
Facebook and Twitter have had support for full-session HTTPS since 2011 and earlier this year they started enabling it by default for all of their users.
The next important step for Yahoo would be to enable HTTPS by default globally across all of its products and services, Access said.
In the meantime, the EFF will attempt to tweak its HTTPS Everywhere browser extension so that it always turns on HTTPS for Yahoo Mail even if users are unaware that the setting exists in their email options.