After the celebrated appointment of Marisa Mayer as CEO of Yahoo!, the new leadership has the opportunity to fix an urgent matter: Yahoo! Mail is the only major web-based e-mail service that continues to rely on insecure connections. Google enabled default Hypertext Transfer Protocol Secure (HTTPS), a widely used communications protocol that allows secure communication over a computer network, on its GMail service in early 2010, and Microsoft followed suit for its Hotmail service in July 2011.
To accelerate the process, on November 13, 2012, an open letter from 26 security experts, advocates and human rights activists was sent to Mayer, urging her to act as quickly as possible to secure user trust and safety by taking the “long overdue step” of deploying HTTPS encryption for all Yahoo! communications services. “Over the last several years,” the letter said, “Yahoo! has repeatedly been urged by security experts to adopt HTTPS, but has taken no visible steps to do so”:
Unfortunately, this delay puts your users at risk, which is particularly disturbing since Yahoo! Mail is widely used in many of the world's most politically repressive states.
There have been frequent reports of political activists and government critics being shown copies of their email messages as evidence during interrogation sessions, underscoring the importance of providing basic measures to protect the privacy of e-mail.
Where online communications platforms are essential channels for the the free flow of information and outlets for expression, offering HTTPS by default is a critical step that Yahoo! must take to blunt some of the effects of mass surveillance and censorship.
A 2009 open letter to Google signed by 37 prominent computer security and privacy experts, urging the use of HTTPS security on services that process personal information, emphasized that HTTPS is “industry standard” security for protecting personal information on web services; these experts added that research shows “most users have no idea of the data interception risks that they face when using public wireless networks […] few users notice the presence or absence of HTTPS encryption and [users] fail to take appropriate precautions when HTTPS is not used.”
All the e-mail and social network providers criticized in this letter have since made HTTPS available or mandatory on their sites—except Yahoo!.
Several security experts and human rights organizations are recommending that users avoid Yahoo! Mail “because of its continued lack of essential security protections.” This advice in fact applies to any e-mail service that cannot be accessed via HTTPS, as the Tactical Technology Collective notes in this video.
Unless Yahoo! Mail fixes this serious deficiency, their users’ data will travel via HTTP, an insecure channel that is highly susceptible to man-in-the-middle and eavesdropping attacks. As mentioned above, other major providers of online services have implemented HTTPS encryption as a standard, including Facebook, which started rolling out always-on HTTPS in November 2012. Let's hope that this chorus of global voices encourages Yahoo! to fix the problem soon. We are counting the days.