Yahoo (finally!) to make SSL encryption the default for webmail

Yahoo (finally!) to make SSL encryption the default for webmail

YahooYahoo has confirmed it will finally enable encryption by default for its web-based email starting on 8 January 2014, according to The Washington Post – one year to the day after it rolled out the option of protecting users’ webmail privacy with HTTPS.

Its webmail brethren have been way ahead of Yahoo for years now.

Google offered SSL as an option for webmail in July 2008 and made it the default setting in January 2010.

Microsoft followed, offering HTTPS as an option for Hotmail in November 2010 and switching to default during Hotmail’s rebranding to in July 2012.

Facebook made secure web browsing a default for US users in November 2012 and for all users worldwide (well, except if they use certain mobile phones and carriers that don’t fully support HTTPS) in July 2013.

As we noted when Yahoo first made secure browsing available, without full-session HTTPS turned on, anybody on your WiFi network could read any of the emails you write and receive, by using a tool like Firesheep, as they’re transmitted from Yahoo to your browser.

Does Yahoo’s head-scratching lateness still entail greatness?

As The Register’s Neil McAllister points out, recent revelations about the work of the US’s National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ) to decipher SSL-encrypted communications means that Yahoo’s decision to switch to default HTTPS might not only be “very late” but also “very little.”

But then again, NSA secret leaker Edward Snowden himself confirmed in a Q&A with Guardian readers in June that encryption works if properly implemented.

In fact, Snowden said, properly implemented, strong crypto systems are “one of the few things that you can rely on”, although, he added, the NSA can frequently find ways around it as a result of weak security on the computers at either end of the communication.

As Yahoo said in the email statement sent to The Washington Post:

Yahoo takes the security of our users very seriously.

Let’s hope it means business.

UPDATE: Interestingly, after we wrote about the upgrade to HTTPS, Yahoo contacted us to gush about the fact that they’ll be upgrading their RSA keys to 2048 bits at the same time, as ‘an extra layer of security.’

They’re probably now wishing they didn’t draw our attention so keenly to that fact.

To hear Yahoo tell it, you’d think they were adding a whole new ingredient to the sandwich you just ordered, when in fact all they’re really doing is giving you extra lettuce.

Anyway, the US National Institute for Standards and Technology (NIST), a body that you’d probably expect Yahoo to take notice of, already pretty much mandates that you should switch to 2048-bit RSA keys by the end of 2013, as part of staying one step ahead of cryptographic cracking.

So Yahoo’s breathless announcement that it will be making the 2048-bit key jump by January 2014 isn’t so much an upgrade as a way to help the company not to fail – further evidence of Yahoo simply being late to the party, rather than proactive about security.

If you’d like to dig a bit deeper into RSA keys take a look at Paul Ducklin’s handy graphical presentation of how RSA keys relate to security level that we published when Google announced its switch to 2048-bit keys back in May 2013.