Yahoo Mail now has HTTPS on by default
Posted on 09 January 2014.
With a short blog post, Yahoo's SVP of Communication Products Jeff Bonforte has announced that the company has started encrypting all connections between their users and Yahoo Mail.

"Anytime you use Yahoo Mail - whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP- it is 100% encrypted by default and protected with 2,048 bit certificates," he wrote. "This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail."

But Ivan Ristic, Director of Engineering at Qualys and founder of SSL Labs, has tested some of the servers and says that the HTTPS implementation is not consistent on all of them.

Some of Yahoo's HTTPS email servers use a weak preferred cypher (RC4); some the AES cypher but haven't implemented mitigations for known attacks against it (for example BEAST and CRIME); and none of the company's servers he checked support forward secrecy (something that Google already did way back in 2011, and Facebook and Twitter did last year).

"I think we should accept that Yahoo needs time to get their servers in order when it comes to encryption, but perhaps they need to be more transparent about what they’re planning and doing,” Ristic said to Lucian Constantin. “For example, I would have preferred to see something along the lines of: ‘We haven’t done these other things yet, but here’s our schedule for addressing them’.”

Well, at least Yahoo has finally started doing something about it - let's hope the will fix these problems sooner rather than later.


Don't sink your network

Too many of today’s networks are easy to sink. One attack pierces the perimeter, and all of the organisation's most sensitive data comes rushing out. Soon after, their logo is slapped across the evening news as the pundits start circling the water.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Oct 13th