Following a trail cut several years ago by Google and Microsoft, Yahoo has now given users of its webmail service the option of using an SSL connection for their sessions. The HTTPS option is not enabled by default, but users can turn it on with a couple of clicks.
Yahoo has been slow to make the move to secure connections for its Yahoo Mail service, so much so, in fact, that last year the EFF and several other groups sent a letter to the company asking officials to make the change. Google enabled HTTPS-only by default for its Gmail users in 2010, just after company officials came out publicly and disclosed that Chinese attackers had penetrated Google and several other companies as part of a targeted attack campaign.
The letter from the EFF, ACLU, Reporters Without Borders and a number of other organizations urged Yahoo CEO Marissa Mayer to make the change in order to help protect users’ privacy and security.
“Over the last several years, Yahoo! has repeatedly been urged by security experts to adopt HTTPS, but has taken no visible steps to do so. Unfortunately, this delay puts your users at risk, which is particularly disturbing since Yahoo! Mail is widely used in many of the world’s most politically repressive states. There have been frequent reports of political activists and government critics being shown copies of their email messages as evidence during interrogation sessions, underscoring the importance of providing basic measures to protect the privacy of e-mail. Where online communications platforms are essential channels for the the free
flow of information and outlets for expression, offering HTTPS by default is a critical step that Yahoo! must take to blunt some of the effects of mass surveillance and censorship,” the letter said.
Attackers have been targeting users of all of the major webmail services with spear-phishing and other attacks, often going after political dissidents, journalists, bloggers and activists. Enabling a secure connection over SSL helps prevent some of the eavesdropping attacks that are conducted on email accounts, but won’t have much effect on security if a user opens a malicious document, enabling a malware installation.
Still, the move by Yahoo is an important step toward providing Yahoo Mail users with more security on their accounts. To enable the SSL option, users can go into the Options tab and click the box next to “Make your Yahoo Mail more secure with SSL”. The option is not enabled by default, but that could be a next step.
“If you’re a Yahoo! Mail user, please take this step right away to protect your privacy when reading and writing e-mail. We’ll also be looking into how HTTPS Everywhere can automatically protect users by making all access to Yahoo! Mail secure, even if users don’t realize that this option exists,” Seth Schoen of the EFF wrote.