Yahoo, following the lead of Google and Microsoft, has now enabled HTTPS encryption for all Yahoo Mail users by default.
A short company blog post by Jeff Bonforte, Yahoo’s senior vice president of Communication Products said:
As we promised back in October, we are now automatically encrypting all connections between our users and Yahoo Mail. Anytime you use Yahoo Mail – whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP- it is 100% encrypted by default and protected with 2,048 bit certificates. This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail.
The implementation of encrypted connections, which came in a day earlier than the company’s self-imposed January 8 deadline, is part of Yahoo’s plans to beef up its security in response to growing concerns over government surveillance activities across the internet.
The leak of confidential documents by former NSA contractor Edward Snowden, which revealed how the NSA was collecting email metadata and snooping on other forms of internet communication, has prompted Yahoo and several other tech giants to work on making such surveillance significantly harder.
Some observers have pointed out that Yahoo hasn’t gone the whole way with HTTPS, notably because it hasn’t implemented what’s known as “forward secrecy.”
If you’re not familiar with the idea of forward secrecy, you might want to take a look at Paul Ducklin’s explanation of it from November 2013, when Twitter started using it.
Plain HTTPS connections use a public-private keypair so that your traffic to the server is encrypted, and the server is vouched for by the HTTPS certificate it presents.
But you can use the server’s private key later on to decrypt all current and previous traffic, assuming the earlier traffic was logged somewhere.
Forward secrecy adds a second layer of encryption, effectively using a throw-away public-private keypair to scramble each session, as well as using the server’s public-private keypair to identify that you are connected to the right server.
If the throw-away keypairs really are thrown away after each session, encrypted traffic can’t be unscrambled later.
Of course, webmail services have access to your unencrypted emails anyway, at least for a while, but forward secrecy nevertheless adds some additional security comfort.
On the other hand, forward secrecy also increases latency (more network traffic is needed when you login) and processing requirements (more CPU power is required to do the extra cryptographic calculations).
That’s probably why Yahoo hasn’t yet added it.
Google has offered HTTPS by default on Gmail since 2010. Facebook also began rolling out HTTPS on by default in November while Microsoft’s webmail service – Outlook.com – launched with the service back in July 2012.
Yahoo did actually introduce full-session HTTPS for its webmail users at the end of 2012 but it wasn’t implemented by default – users had to opt in prior to this.