Update: A Yahoo spokesperson tells WebProNews, “In addition to making https a default feature by January 2014 for all Yahoo Mail users, we plan to implement 2048-bit encryption keys, which will provide our users with a further layer of security.”
Yahoo has not been making the best headlines in the realms of Yahoo Mail or security lately, but now, they’ve revealed a move that should help with that.
Starting on January 8th, the company will turn on SSL/HTTPS encryption for Yahoo Mail by default for all of its users. This is according to a report from The Washington Post, which exchanged words with the company. The post quotes Yahoo as saying:
“Yahoo takes the security of our users very seriously.”
Yahoo launched an email address recycling program back in the summer, giving current users access to old email addresses from accounts that are no longer active. As some have found, this has been exposing sensitive emails intended for those original account holders to the new account holders.
Another issue that has arisen from the program is that Yahoo has apparently been deleting contacts from users’ email addresses. Yahoo’s intent has been to keep users from sending emails to those old inactive accounts. The problem is that it’s not always getting it right, as we discovered that in some cases, Yahoo is deleting valid addresses from people’s contacts lists.
Both of these issues may be only happening in a few cases out of many, but they are happening, and Yahoo has acknowledged both.
Then there was “T-Shirt-Gate,” in which Yahoo drew some criticism for rewarding security researchers who found critical flaws in Yahoo’s products with nothing but store credit to the Yahoo corporate store where they could buy things like Yahoo t-shirts, socks, etc. instead of substantial cash rewards. Yahoo quickly corrected that situation.
But at least Yahoo is taking an inarguable step forward with HTTPS, even if it comes much later than it did with competitors Google and Microsoft.
Security industry veteran Graham Cluley, who has been extremely critical of Yahoo’s security blunders, even commends them for “finally” taking this step (thought it’s been an option – just not the default – for users since this past January).
“Seriously, it will be good to see Yahoo finally enable SSL/HTTPS for all its webmail users,” he writes. “It’s just a crying shame that they have dragged their feet so much about doing it. One wonders how many users had their privacy put at risk by Yahoo’s tardiness?”
Users can turn on the setting now by going to Settings, then Security, and then selecting “Use SSL”.