After the celebrated appointment of Marisa Mayer as CEO of Yahoo!, the new leadership has the opportunity to fix an urgent matter: Yahoo! Mail is the only major web-based e-mail service that continues to rely on insecure connections. Google enabled default Hypertext Transfer Protocol Secure (HTTPS), a widely used communications protocol that allows secure communication over a computer network, on its GMail service in early 2010, and Microsoft followed suit for its Hotmail service in July 2011.
To accelerate the process, on November 13, 2012, an open letter from 26 security experts, advocates and human rights activists was sent to Mayer, urging her to act as quickly as possible to secure user trust and safety by taking the “long overdue step” of deploying HTTPS encryption for all Yahoo! communications services. “Over the last several years,” the letter said, “Yahoo! has repeatedly been urged by security experts to adopt HTTPS, but has taken no visible steps to do so”:
Unfortunately, this delay puts your users at risk, which is particularly disturbing since Yahoo! Mail is widely used in many of the world's most politically repressive states.
There have been frequent reports of political activists and government critics being shown copies of their email messages as evidence during interrogation sessions, underscoring the importance of providing basic measures to protect the privacy of e-mail.
Where online communications platforms are essential channels for the the free flow of information and outlets for expression, offering HTTPS by default is a critical step that Yahoo! must take to blunt some of the effects of mass surveillance and censorship.
A 2009 open letter to Google signed by 37 prominent computer security and privacy experts, urging the use of HTTPS security on services that process personal information, emphasized that HTTPS is “industry standard” security for protecting personal information on web services; these experts added that research shows “most users have no idea of the data interception risks that they face when using public wireless networks […] few users notice the presence or absence of HTTPS encryption and [users] fail to take appropriate precautions when HTTPS is not used.”
All the e-mail and social network providers criticized in this letter have since made HTTPS available or mandatory on their sites—except Yahoo!.
CyberArabs posted a translation of the letter in Arabic, Free Press unlimited did the same in Dutch, and Ana published it in German.
Several security experts and human rights organizations are recommending that users avoid Yahoo! Mail “because of its continued lack of essential security protections.” This advice in fact applies to any e-mail service that cannot be accessed via HTTPS, as the Tactical Technology Collective notes in this video.
Unless Yahoo! Mail fixes this serious deficiency, their users’ data will travel via HTTP, an insecure channel that is highly susceptible to man-in-the-middle and eavesdropping attacks. As mentioned above, other major providers of online services have implemented HTTPS encryption as a standard, including Facebook, which started rolling out always-on HTTPS in November 2012. Let's hope that this chorus of global voices encourages Yahoo! to fix the problem soon. We are counting the days.
I have a yahoo mail accound and noticed that, once I’m logged in, if in the address I substitute http:// with https:// the mail session remains in a https mode.
Probaly Yahoo has already implemented it but is awaiting to announce it.
Last time I checked with sec experts it was not fixed. But I am crossing my fingers and I really hope you are right. ;D
Links for 2012-11-23 [del.icio.us]…
Open letter to Marissa Mayer: HTTPS for all Yahoo! communications services now! – Global Voices Advocacy…
While it could be a good suggestion for their service, you, as a customer always have to make a decision, you compare and then you buy. But this takes me to think, if you’re using a FREE service, you got to be kidding me!, otherwise you should get other service provider, simply as that.
I don’t think you even have a proper IT formation to talk about this, see at http://mail.yahoo.com is SSL? it’s on SSL, don’t like it… use OpenID, if you’re think you can play MITM after that, as easy as you mention it… wow that’s a lot mouth, even an older browser the user will know, your browser will let you know. And always if your emails are too secret, try not to use a SMTP to transfer it.