Yahoo Mail now has HTTPS on by default
Posted on 09 January 2014.
With a short blog post, Yahoo's SVP of Communication Products Jeff Bonforte has announced that the company has started encrypting all connections between their users and Yahoo Mail.


"Anytime you use Yahoo Mail - whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP- it is 100% encrypted by default and protected with 2,048 bit certificates," he wrote. "This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail."

But Ivan Ristic, Director of Engineering at Qualys and founder of SSL Labs, has tested some of the servers and says that the HTTPS implementation is not consistent on all of them.

Some of Yahoo's HTTPS email servers use a weak preferred cypher (RC4); some the AES cypher but haven't implemented mitigations for known attacks against it (for example BEAST and CRIME); and none of the company's servers he checked support forward secrecy (something that Google already did way back in 2011, and Facebook and Twitter did last year).

"I think we should accept that Yahoo needs time to get their servers in order when it comes to encryption, but perhaps they need to be more transparent about what they’re planning and doing,” Ristic said to Lucian Constantin. “For example, I would have preferred to see something along the lines of: ‘We haven’t done these other things yet, but here’s our schedule for addressing them’.”

Well, at least Yahoo has finally started doing something about it - let's hope the will fix these problems sooner rather than later.









Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //