Yahoo is finally getting serious about users’ security.
Encryption will be the default setting for all users logging into Yahoo’s e-mail service beginning Jan. 8, the company told The Washington Post. “Yahoo takes the security of our users very seriously,” the company said in an e-mailed statement to the publication.
Although Yahoo has offered SSL encryption as an option to users since January, users must turn it on themselves if they want enhanced privacy. The option will be switched on for all Yahoo users early next year.
The feature “encrypts your mail as it moves between your browser and Yahoo’s servers,” according to the company.
Yahoo is definitely late to the SSL encryption party.
Google enabled HTTPS-only — a communications protocol for secure communication over a computer network — by default for all Gmail users three years ago.
Microsoft made SSL the default for it e-mail service in July of 2012 and Facebook set it as a default for U.S. users in February and globally in July.
“Yahoo Mail has lagged behind competitors such as Hotmail (in the process of being rebranded Outlook.com) and Gmail by not allowing users to access their email through HTTPS,” writes security expert Graham Cluley on the Sophos Naked Security blog.
“If you don’t have full-session HTTPS turned on for your webmail, anybody on your Wi-Fi network could read any of the emails you write and receive using a tool like FireSheep, as they are transmitted from Yahoo to your browser. That’s because, without HTTPS, they are sent as unencrypted text.”
Yahoo received a letter from privacy advocates late last year asking the company to up the security for Yahoo Mail.
The letter from the Electronic Frontier Foundation, ACLU, Reporters Without Borders and several other organizations asked Yahoo CEO Marissa Mayer to implement HTTPS by default to better protect its users.
“Over the last several years, Yahoo has repeatedly been urged by security experts to adopt HTTPS, but has taken no visible steps to do so. Unfortunately, this delay puts your users at risk, which is particularly disturbing since Yahoo Mail is widely used in many of the world’s most politically repressive states,” the letter reads. “There have been frequent reports of political activists and government critics being shown copies of their e-mail messages as evidence during interrogation sessions, underscoring the importance of providing basic measures to protect the privacy of e-mail. Where online communications platforms are essential channels for the free flow of information and outlets for expression, offering HTTPS by default is a critical step that Yahoo must take to blunt some of the effects of mass surveillance and censorship.”
Yahoo’s decision will no doubt be applauded, but will also be seen as a better late than never measure.