Posted by Kalyani M. on Oct 21, 2013
Yahoo has made significant cosmetic improvement to its user interface, but there are security flaws that still need to be addressed. It has been under the scrutiny of security experts because of the changes it has made to its email service lately. This summer Yahoo launched an email-recycling program, giving current users access to old email addresses from the accounts that are no longer active. Unfortunately this scheme of reengaging old users and rewarding active ones led to serious risks to user privacy. Some of the users with recycled Yahoo IDs received emails intended for the previous account holders. They were able to access all information intended for the original user including sensitive information like Social Security Number and credit card information of previous users.
Another issue related to this program was that Yahoo removed contacts from user’s contact lists without their consent. In doing so, Yahoo’s intent was to remove invalid addresses from people’s contact lists, so that they do not get any mails intended for previous account holders. However this move was not executed properly, and in some cases, Yahoo ended up deleting valid addresses. It also raised security concerns among the users, as Yahoo could get into their account and managed their contact details without their authorization. If Yahoo could delete their contact addresses, it is very likely that it can access some other critical information from the user accounts without their consent. Yahoo has acknowledged both of these issues, and steps have been taken to resolve them.
Unlike Google or Microsoft, Yahoo does not have default SSL encryption setting for Yahoo Mail users. Yahoo allows users to login into their accounts via SSL and then changes into an unencrypted connection during regular email sessions. As a result any email you send via Yahoo mail can be intercepted easily over public Wi-Fi connections. Yahoo has suffered a fair amount of criticism for not moving to SSL encryption, given the recent revelations by former NSA contractor Edward Snowden. “Interestingly, the Washington Post revealed that government spooks had collected twice as many contacts from Yahoo Mail as all of the other major web mail services combined. No reason was given for this, but one likely cause could be due to Yahoo Mail’s lack of SSL encryption”.
In a case study it was found that any non-protected SSL email could be hacked by using a Firefox add-on called Firesheep. Firesheep steals login IDs from the targeted PC and allows the attacker to gain access to your account for the duration of the current login period. During this time frame, the attacker will be able to read all your email messages and can access your contact data. Firesheep is just one example that shows how unencrypted email services can be hacked; there are various other tools that can be used to hijack unprotected online accounts.
Keeping all these security concerns into consideration, Yahoo has decided to introduce default SSL encryption in its email service. Yahoo has confirmed to The Washington post that it will enable HTTPS encryption by default for Yahoo Mail starting from January 8, 2014. The security experts have appreciated Yahoo’s move of implementing HTTPS encryption for Web email services. Amie Stepanovich, Director of the Domestic Surveillance Program at the Electronic Privacy Information Center commended Yahoo for the move. “It’s always a positive thing when companies take steps to protect their customers’ information,” she said, but noted, “Unfortunately, this often only happens after a harmful event.”
Yahoo has offered an option to opt –in to SSL encryption through Yahoo Mail’s setting during late 2012 or early 2013. However, it is disabled by default. But you can activate it by yourself by taking the following steps:
Secure your data with SpiderOak
In this age of PRISM revelations, users sometimes find that selecting a truly protected third party cloud service can be a challenge. As most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.
SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.
SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product now. SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to firstname.lastname@example.org and we will get back to you soon.