Yahoo has completed the first stage of its plan to fully encrypt most of its Web services, greatly increasing the security of Yahoo’s Webmail, search and other Web pages. These measures will make it much more difficult for criminals and spies to capture Yahoo users’ data.
Websites including Yahoo Mail, the main Yahoo homepage and Yahoo Digital Magazines now have “the latest in security best-practices” and use secure Web connections by default, said Yahoo Chief Information Security Officer Alex Stamos in a blog posting yesterday (April 2). Next up, Stamos wrote, is an encrypted version of Yahoo Messenger, which will unroll in the next few months.
Most, but not all, of Yahoo’s websites now use RSA encryption with a 2048-bit key and Perfect Forward Secrecy. Even if snoops compromise the encryption key for one online session, they will not be able to see data from any other sessions.
These sites and services also support TLS 1.2, which is the latest protocol for encrypting Web traffic. It’s more secure than its predecessor SSL, which some security experts believe the National Security Agency may have cracked. You can tell if a Web page is implementing SSL or TLS if the URL contains “https” instead of simply “http.”
HTTPS encryption has been the default for Yahoo Mail since early January, but is now the default for all search queries sent through Yahoo’s main site and “most Yahoo properties,” according to Stamos’ blog post.
“We are currently working to bring all Yahoo sites up to this standard,” he wrote.
Email messages exchanged between Yahoo and other mail providers now use SMTP TLS, adding TLS encryption to the regular SMTP mail-delivery protocol, Stamos added.
For now, users can manually start encrypted Web sessions on the Yahoo News, Yahoo Sports, Yahoo Finance and Yahoo’s Good Morning America websites by manually typing “https” before the URL in the Web browser. Stamos admitted to The Wall Street Journal that making encryption the default on those sites would hurt their advertising-based business models.
All traffic between Yahoo’s data centers, traffic that does not use the regular Internet, is now fully encrypted as of March 31.