Yahoo to introduce default SSL for webmail
As of early next year, Yahoo Mail users will no longer be forced to manually secure their communications with secure sockets layer (SSL) encryption.
Yahoo has announced that the SSL option will be enabled by default for its webmail users, starting Jan. 8, 2014.
On Monday, Jeffrey Bonforte, senior vice president of communication products at Yahoo, confirmed reports that the company was introducing the change. The Washington Post broke the news earlier that day, before Bonforte wrote on the company's Tumblr blog that default SSL was, indeed, on the way.
“Yahoo Mail users can already enable HTTPS [or Secure Sockets Layer (SSL)], a communications protocol that securely encrypts your information and messages as they move between your browser and Yahoo's servers,” Bonforte wrote, later explaining that the feature could be switched on under the security tab in Yahoo Mail settings.
“Starting Jan. 8, 2014, we will make encrypted https connections standard for all Yahoo Mail users. Our teams are working hard to make the necessary changes to default https connections on Yahoo Mail, and we look forward to providing this extra layer of security for all our users,” Bonforte wrote.
In the past few years, other tech giants managing email accounts, like Google and Microsoft, set the encryption measure to default for Gmail and Outlook users.
With Yahoo now joining the fray, many security professionals took to Twitter to comment on the company's move to SSL as the default – also taking note that the step occurred in a rather delayed fashion.
The decision to shift to default SSL also closely coincided with revelations about the National Security Agency's mission to crack encryption methods widely used to secure internet communications, security practitioners tweeted.
On Tuesday morning, Chris Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union (ACLU), wrote on Twitter that Yahoo's move would make NSA's privacy-impacting efforts harder to achieve.
Yahoo turning on HTTPS by default will make mass collection harder for the NSA, but also China, Iran, etc. But NSA can still get FISA orders— Christopher Soghoian (@csoghoian) October 15, 2013
In a Tuesday email to SCMagazine.com, Pravin Kothari, founder and CEO of cloud encryption firm CipherCloud, wrote that the measure by Yahoo is just one of many factors the company should consider when moving to better secure users' data.
“There are a couple other important considerations for email encryption that I hope that Yahoo has implemented or is planning to deploy,” Kothari said. “On SSL itself, it's ideal to use 4096-bit or higher SSL encryption as cryptographers have warned that 2048-bit, which most of the internet still uses, can be broken in 10 to 20 years by advanced computing,” he added.
“Then, there's the flip side of the encryption coin to consider,” Kothari said. "SSL doesn't protect information stored on email servers. Because that information is in clear text, accounts are still vulnerable to breaches and cloud surveillance."