Wednesday, October 16, 2013

Yahoo to encrypt webmail sessions by default starting January


Yahoo will start encrypting the webmail sessions of its users in early 2014 by making HTTPS (Hypertext Transfer Protocol Secure) standard for all Yahoo Mail connections.


Security experts, privacy advocates, and users have asked Yahoo for this feature for a long time. Other major webmail providers already offer it.


[ Learn how to protect your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]


In November 2012, the Electronic Frontier Foundation with other privacy, security and human rights organizations, sent a letter to Yahoo CEO Marissa Mayer asking the company to add HTTPS support to its communication services, including email and instant messaging.


HTTPS, which combines the HTTP Web communications protocol with the Secure Sockets Layer (SSL) encryption protocol, is widely used to secure connections between Web users and websites, and prevents sensitive data from being intercepted and read by unauthorized parties while in transit.


Yahoo started rolling out a new Web interface for Yahoo Mail late last year that provided support for full-session HTTPS, but only as an option. In order to enable the feature, users can go in their email account settings and check the "Use SSL" box in the "Security" section.


"Starting January 8, 2014, we will make encrypted https connections standard for all Yahoo Mail users," Jeffrey Bonforte, Yahoo's senior vice president of communication products, said Monday in a blog post. "Our teams are working hard to make the necessary changes to default https connections on Yahoo Mail, and we look forward to providing this extra layer of security for all our users."


The move comes at a time when there is increased discussion about privacy and security online following revelations that the U.S. National Security Agency and the intelligence agencies of other countries are running extensive electronic surveillance programs.


Some of the NSA programs revealed by documents leaked by former NSA contractor Edward Snowden involve the upstream interception of Internet traffic as it passes through global networks, as well as data collection from online services providers including Yahoo, Microsoft, Google, Apple, Facebook, AOL and others.


The Washington Post reported Tuesday that the NSA collected online address books in bulk from Yahoo, Hotmail, Facebook, Gmail, and other email and chat programs at Internet access points controlled by foreign telecommunications companies and allied intelligence services.


This type of upstream data collection is something that HTTPS can potentially prevent, as long as the implementation is strong enough. The service provider might be later compelled to hand over the decrypted data at its end, but at least in that case the interception would be done with its knowledge.


In addition to preventing bulk data collection by government agencies, HTTPS can also prevent hacker attacks, like the theft of authentication cookies over insecure wireless networks or through cross-site scripting attacks.


Source: http://podcasts.infoworld.com/d/security/yahoo-encrypt-webmail-sessions-default-starting-january-228794?source=rss_applications
Related Topics: Robinson Cano   Americas Cup   remembering 9/11   clemson   Justin Morneau  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.