Yahoo’s new move towards email encryption

Posted by on Oct 21, 2013


Image from www.yahoomail.com

Image from www.yahoomail.com


Yahoo has made significant cosmetic improvement to its user interface, but there are security flaws that still need to be addressed. It has been under the scrutiny of security experts because of the changes it has made to its email service lately. This summer Yahoo launched an email-recycling program, giving current users access to old email addresses from the accounts that are no longer active. Unfortunately this scheme of reengaging old users and rewarding active ones led to serious risks to user privacy. Some of the users with recycled Yahoo IDs received emails intended for the previous account holders. They were able to access all information intended for the original user including sensitive information like Social Security Number and credit card information of previous users.

Another issue related to this program was that Yahoo removed contacts from user’s contact lists without their consent. In doing so, Yahoo’s intent was to remove invalid addresses from people’s contact lists, so that they do not get any mails intended for previous account holders. However this move was not executed properly, and in some cases, Yahoo ended up deleting valid addresses. It also raised security concerns among the users, as Yahoo could get into their account and managed their contact details without their authorization. If Yahoo could delete their contact addresses, it is very likely that it can access some other critical information from the user accounts without their consent. Yahoo has acknowledged both of these issues, and steps have been taken to resolve them.

Image from www.pcworld.com

Image from www.pcworld.com

Unlike Google or Microsoft, Yahoo does not have default SSL encryption setting for Yahoo Mail users. Yahoo allows users to login into their accounts via SSL and then changes into an unencrypted connection during regular email sessions. As a result any email you send via Yahoo mail can be intercepted easily over public Wi-Fi connections. Yahoo has suffered a fair amount of criticism for not moving to SSL encryption, given the recent revelations by former NSA contractor Edward Snowden. “Interestingly, the Washington Post revealed that government spooks had collected twice as many contacts from Yahoo Mail as all of the other major web mail services combined. No reason was given for this, but one likely cause could be due to Yahoo Mail’s lack of SSL encryption”.

In a case study it was found that any non-protected SSL email could be hacked by using a Firefox add-on called Firesheep. Firesheep steals login IDs from the targeted PC and allows the attacker to gain access to your account for the duration of the current login period. During this time frame, the attacker will be able to read all your email messages and can access your contact data. Firesheep is just one example that shows how unencrypted email services can be hacked; there are various other tools that can be used to hijack unprotected online accounts.

Keeping all these security concerns into consideration, Yahoo has decided to introduce default SSL encryption in its email service. Yahoo has confirmed to The Washington post that it will enable HTTPS encryption by default for Yahoo Mail starting from January 8, 2014. The security experts have appreciated Yahoo’s move of implementing HTTPS encryption for Web email services. Amie Stepanovich, Director of the Domestic Surveillance Program at the Electronic Privacy Information Center commended Yahoo for the move. “It’s always a positive thing when companies take steps to protect their customers’ information,” she said, but noted,  “Unfortunately, this often only happens after a harmful event.”

Yahoo has offered an option to opt –in to SSL encryption through Yahoo Mail’s setting during late 2012 or early 2013. However, it is disabled by default. But you can activate it by yourself by taking the following steps:

  • Click on the settings cog upper right corner of the Yahoo Mail Inbox.
  • Select “Settings” from the dropdown menu and then select “Security”.
  • In the “Security” section, tick the “ Always use HTTPS” checkbox and then press “Save”.
Screenshot by  author

Screenshot by author

  • Once the above-mentioned steps are completed, your Inbox tab will refresh and you will be able to see the lock icon on the left side of the address bar along with the letters “https”.


Secure your data with SpiderOak

 In this age of PRISM revelations, users sometimes find that selecting a truly protected third party cloud service can be a challenge. As most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.
SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product now. SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.


4 Responses to “Yahoo’s new move towards email encryption”

  1. Aidan says:

    To me, it seems as though Yahoo in the year 2013 is trying to revamp their email and their website, when what they really need to do is a complete overhaul. In a world almost dominated by Google, Yahoo is just treading water.

  2. Rox says:

    I find it increasingly alarming how many citizens feel that a “free” service should live up to all of the expectations that they have for it. I may be old fashioned, but I still believe in “you get what you pay for”, and when you are using a free service you aren’t paying a dime for a thing. One is totally subject to their whims and fancies. Frankly, I also find it hard to take something serious with a name such as “yahoo”. Again, this is more than likely the old fashioned part of me talking, but I do believe it is valid for my generation. Part of my duties in my daily position as Sales Manager is to review potential resumes for sales candidates, and one of my screening criteria consists of looking at the domain of an email address. When I see a free service, I realize that this is not a technically savvy individual that I want representing my company.

  3. Trent says:

    Yahoo better get its act together. I have been using them but I have thought about switching to a different service. The new email client is horrible. They deleted a lot of the good features and forced new features on us.

  4. Rob says:

    The moves towards SSL and HTTPS are a sign that things are changing. New avenues will be opening for email services that provide truly encrypted mailing services and this might be Yahoo’s chance to turn it around.

Leave a Reply