Yahoo Mail now has HTTPS on by default
Posted on 09 January 2014.
With a short blog post, Yahoo's SVP of Communication Products Jeff Bonforte has announced that the company has started encrypting all connections between their users and Yahoo Mail.


"Anytime you use Yahoo Mail - whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP- it is 100% encrypted by default and protected with 2,048 bit certificates," he wrote. "This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail."

But Ivan Ristic, Director of Engineering at Qualys and founder of SSL Labs, has tested some of the servers and says that the HTTPS implementation is not consistent on all of them.

Some of Yahoo's HTTPS email servers use a weak preferred cypher (RC4); some the AES cypher but haven't implemented mitigations for known attacks against it (for example BEAST and CRIME); and none of the company's servers he checked support forward secrecy (something that Google already did way back in 2011, and Facebook and Twitter did last year).

"I think we should accept that Yahoo needs time to get their servers in order when it comes to encryption, but perhaps they need to be more transparent about what they’re planning and doing,” Ristic said to Lucian Constantin. “For example, I would have preferred to see something along the lines of: ‘We haven’t done these other things yet, but here’s our schedule for addressing them’.”

Well, at least Yahoo has finally started doing something about it - let's hope the will fix these problems sooner rather than later.









Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //