Yahoo (finally!) to make SSL encryption the default for webmail

library
crime | hacking | security

Yahoo has confirmed it will finally enable encryption by default for its web-based email starting on 8 January 2014, according to The Washington Post – one year to the day after it rolled out the option of protecting users’ webmail privacy with HTTPS.

Its webmail brethren have been way ahead of Yahoo for years now.

Google offered SSL as an option for webmail in July 2008 and made it the default setting in January 2010.

Microsoft followed, offering HTTPS as an option for Hotmail in November 2010 and switching to default during Hotmail’s rebranding to Outlook.com in July 2012.

Facebook made secure web browsing a default for US users in November 2012 and for all users worldwide (well, except if they use certain mobile phones and carriers that don’t fully support HTTPS) in July 2013.

As we noted when Yahoo first made secure browsing available, without full-session HTTPS turned on, anybody on your WiFi network could read any of the emails you write and receive, by using a tool like Firesheep, as they’re transmitted from Yahoo to your browser.

Does Yahoo’s head-scratching lateness still entail greatness?

As The Register’s Neil McAllister points out, recent revelations about the work of the US’s National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ) to decipher SSL-encrypted communications means that Yahoo’s decision to switch to default HTTPS might not only be “very late” but also “very little.”

But then again, NSA secret leaker Edward Snowden himself confirmed in a QA with Guardian readers in June that encryption works if properly implemented.

In fact, Snowden said, properly implemented, strong crypto systems are “one of the few things that you can rely on”, although, he added, the NSA can frequently find ways around it as a result of weak security on the computers at either end of the communication.