Skip to main content

Yahoo Makes HTTPS Default on Most Company Sites

Yahoo has completed the first stage of its plan to fully encrypt most of its Web services, greatly increasing the security of Yahoo's Webmail, search and other Web pages. These measures will make it much more difficult for criminals and spies to capture Yahoo users' data. 

Websites including Yahoo Mail, the main Yahoo homepage and Yahoo Digital Magazines now have "the latest in security best-practices" and use secure Web connections by default, said Yahoo Chief Information Security Officer Alex Stamos in a blog posting yesterday (April 2). Next up, Stamos wrote, is an encrypted version of Yahoo Messenger, which will unroll in the next few months.

MORE: 7 Ways to NSA-Proof Your Smartphone

Most, but not all, of Yahoo's websites now use RSA encryption with a 2048-bit key and Perfect Forward Secrecy. Even if snoops compromise the encryption key for one online session, they will not be able to see data from any other sessions.

These sites and services also support TLS 1.2, which is the latest protocol for encrypting Web traffic. It's more secure than its predecessor SSL, which some security experts believe the National Security Agency may have cracked. You can tell if a Web page is implementing SSL or TLS if the URL contains "https" instead of simply "http." 

HTTPS encryption has been the default for Yahoo Mail since early January, but is now the default for all search queries sent through Yahoo's main site and "most Yahoo properties," according to Stamos' blog post.

"We are currently working to bring all Yahoo sites up to this standard," he wrote.

Email messages exchanged between Yahoo and other mail providers now use SMTP TLS, adding TLS encryption to the regular SMTP mail-delivery protocol, Stamos added. 

For now, users can manually start encrypted Web sessions on the Yahoo News, Yahoo Sports, Yahoo Finance and Yahoo's Good Morning America websites by manually typing "https" before the URL in the Web browser. Stamos admitted to The Wall Street Journal that making encryption the default on those sites would hurt their advertising-based business models.

All traffic between Yahoo's data centers, traffic that does not use the regular Internet, is now fully encrypted as of March 31.

Yahoo announced plans to implement this encryption last November, amid revelations that the National Security Agency snoops on the traffic between data centers, which was supposedly isolated and therefore hadn't been encrypted.

"Yahoo has never given access to our data centers to the NSA or to any other government agency," wrote Yahoo CEO Marissa Mayer in the November post.

Stamos is a well respected security researcher, and Yahoo's hiring of him in late February instantly boosted the company's credentials in the information-security community. Just before he was hired by Yahoo, Stamos organized and ran the TrustyCon security conference in San Francisco as an alternative to the giant RSA security conference, following news reports that RSA had worked with the NSA to weaken its own security software.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us@TomsGuide, on Facebook and on Google+.