Yahoo, one of the last email holdouts to implement SSL by default, announced it will do so in January.
The company has been criticized as one of the few remaining giant Internet companies for its delay in turning on encryption by default for its web-based email users. It will now do so on Jan. 8, a year to the date from when it first gave users the option of using an SSL connection for email sessions.
The lag is noteworthy for Yahoo, which is more than three years behind Google’s default implementation of SSL for Gmail. Users of Microsoft’s Outlook.com webmail service have had SSL enabled by default since July 2012 while Facebook made it the default this February.
Yahoo refused a request for an interview on the delays, and instead pointed Threatpost to an online statement made by senior VP of communication products Jeffrey Bonforte.
“Our teams are working hard to make the necessary changes to default https connections on Yahoo Mail, and we look forward to providing this extra layer of security for all our users,” Bonforte said in the statement.
Yahoo’s decision to offer SSL as an option earlier this year was made public shortly after a November 2012 letter from a number of advocacy groups co-signed a letter to CEO Marissa Mayer urging her to implement HTTPS by default, calling transport encryption a fundamental security requirement. The group, which included representatives of the Electronic Frontier Foundation, American Civil Liberties Union, Tibet Action Institute, Reporters without Borders and many more, made it clear the decision not only put privacy at risk, but endangered lives.
“Unfortunately, this delay puts your users at risk, which is particularly disturbing since Yahoo! Mail is widely used in many of the world’s most politically repressive states. There have been frequent reports of political activists and government critics being shown copies of their email messages as evidence during interrogation sessions, underscoring the importance of providing basic measures to protect the privacy of e-mail,” the letter said.
The news comes a day after the Washington Post reported on a new set of leaked documents from NSA whistleblower Edward Snowden. The latest revelation concerns the NSA’s collection of email contact lists and buddy lists from a number of instant messaging services in order to map relationships between foreign surveillance targets and their online connections.
The Post report paints a snapshot of collection activity over the course of a single day in which the NSA collected close to 450,000 Yahoo email addresses and tens of thousands from other services such as Hotmail, Facebook and Gmail. The Post said secret arrangements with foreign telecommunications companies led to this aspect of the NSA’s surveillance activities, most of it happening overseas but still likely snaring millions of American’s contact details.