Yahoo to encrypt webmail sessions by default starting January

Yahoo plans to make HTTPS connections standard for all users starting Jan. 8

Yahoo will start encrypting the webmail sessions of its users in early 2014 by making HTTPS (Hypertext Transfer Protocol Secure) standard for all Yahoo Mail connections.

Security experts, privacy advocates and users have asked Yahoo for this feature for a long time. Other major webmail providers already offer it.

In November 2012, the Electronic Frontier Foundation with other privacy, security and human rights organizations, sent a letter to Yahoo CEO Marissa Mayer asking the company to add HTTPS support to its communication services, including email and instant messaging.

HTTPS, which combines the HTTP Web communications protocol with the Secure Sockets Layer (SSL) encryption protocol, is widely used to secure connections between Web users and websites, and prevents sensitive data from being intercepted and read by unauthorized parties while in transit.

Yahoo started rolling out a new Web interface for Yahoo Mail late last year that provided support for full-session HTTPS, but only as an option. In order to enable the feature, users can go in their email account settings and check the "Use SSL" box in the "Security" section.

"Starting January 8, 2014, we will make encrypted https connections standard for all Yahoo Mail users," Jeffrey Bonforte, Yahoo's senior vice president of communication products, said Monday in a blog post. "Our teams are working hard to make the necessary changes to default https connections on Yahoo Mail, and we look forward to providing this extra layer of security for all our users."

The move comes at a time when there is increased discussion about privacy and security online following revelations that the U.S. National Security Agency and the intelligence agencies of other countries are running extensive electronic surveillance programs.

Some of the NSA programs revealed by documents leaked by former NSA contractor Edward Snowden involve the upstream interception of Internet traffic as it passes through global networks, as well as data collection from online services providers including Yahoo, Microsoft, Google, Apple, Facebook, AOL and others.

The Washington Post reported Tuesday that the NSA collected online address books in bulk from Yahoo, Hotmail, Facebook, Gmail and other email and chat programs at Internet access points controlled by foreign telecommunications companies and allied intelligence services.

This type of upstream data collection is something that HTTPS can potentially prevent, as long as the implementation is strong enough. The service provider might be later compelled to hand over the decrypted data at its end, but at least in that case the interception would be done with its knowledge.

In addition to preventing bulk data collection by government agencies, HTTPS can also prevent hacker attacks, like the theft of authentication cookies over insecure wireless networks or through cross-site scripting attacks.

"As one of the world's most popular free webmail services providers, Yahoo gained unwelcome attention from cybercriminals in the past months resulting in XSS attacks that ended in cookie theft and subsequent account abuse," said Bogdan Botezatu, a senior e-threat analyst at Bitdefender. "The introduction of SSL will likely limit this behavior, among other dangers."

Botezatu believes that all types of digital communications should have been switched to HTTPS/SSL a long time ago. However, even though Yahoo will be late to enable it compared to other webmail providers, its decision is still salutary, he said.

Google implemented full-session HTTPS as an optional setting in Gmail back in 2008 and made it standard at the beginning of 2010. Microsoft added the option in Hotmail in November 2010 and enabled it by default for its webmail service in 2012.

Twitter starting rolling out HTTPS by default in August 2011 and Facebook in November 2012. Both services supported HTTPS as an option since early 2011.

The next step for Yahoo would be to switch Yahoo Messenger connections to SSL by default as well, Botezatu said. "In some regions, Yahoo Messenger usage still outnumbers other instant messaging clients, and customers rely on it for all sorts of communication, from personal to business, but these conversations are still sent in plain text, which makes it easier to snoop on by unauthorized parties."

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetyencryptiondata protectionprivacybitdefenderFacebookAOLAppleYahooGoogleMicrosoftsecurity

More about AOLAppleElectronic Frontier FoundationFacebookGoogleHotmailMessengerMicrosoftNational Security AgencyNSAYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place