Yahoo Should Consider SSL a Minimal Security, Privacy Standard for Email

Yahoo’s decision to turn SSL on by default for its email users is being met with halfhearted applause by the security industry.

Yahoo is being second-guessed more today than a mediocre baseball manager.

Two days after announcing it would finally turn SSL on by default for its email users starting in January, the company is getting a halfhearted pat on the back from the security industry, which can’t help but ask: “What took you so long?”

Yahoo is the last holdout among major Internet companies to encrypt communications by default, years behind Google, and many months behind Microsoft and Facebook, for example. It’s been close to a year since SSL was offered as an option for users and one can’t help but think that changes in executive management, layoffs and poor earnings have forced Yahoo to kick security down the priority ladder.

Yahoo refused yesterday a request for an interview, and instead it stood behind a prepared online statement from a senior VP of communication products for comments on the situation. Experts however, aren’t pulling punches.

“I would say [SSL encryption] is something users should expect and demand, and developers should consider normal and standard to do,” said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation. “I think consensus is changing toward this.”

Often, companies need a swift kick in order to move major security projects along. Credit card providers were nudged along by endless data breaches starting in 2005 before demanding encryption be used for payment systems; this eventually gave way to the Payment Card Industry Data Security Standard. Google had its SSL plans under way before the infamous Aurora breach in 2010 forced it to accelerate SSL on by default in Gmail. And now in the age of surveillance, better known as the Summer of Snowden, Yahoo has finally jumped aboard.

Not that anyone is quick with a standing ovation.

“This massive delay demonstrates Yahoo’s complete disregard for the privacy of its customers,” said Chris Soghoian, principal technologist and senior policy analyst with the American Civil Liberties Union. “The threat is real. Whether the entity monitoring is the NSA or an identity thief at Starbucks, it has long been known that tools exist to allow interception.”

Soghoian has lobbyed Internet companies about enabling SSL by default since 2009 when he sent Google CEO Eric Schmidt a pointed letter on the subject. He said the idea was to try to convince a leading Internet company to take the first leap and then others would follow. His thinking was correct because soon after Google enabled SSL by default, Twitter, Microsoft and Facebook followed suit.

“Yahoo is the last big communications company to protect its services with SSL. It definitely should not have taken this much time,” Soghoian said. “Yahoo does not prioritize security. Its’ clear from the CEO on down; (CEO) Marissa Mayer has said she doesn’t use a PIN on her smartphone. This is not a company that prioritizes neither privacy nor security. In many ways, it spends more money subverting privacy because Yahoo has been at the forefront of weakening the DNT (Do Not Track) standard.”

The crux of the matter, however is that surveillance is pretty straightforward for the intelligence or hacker communities without encryption. Yesterday, news broke of another Snowden leak in which it was revealed that the NSA is able to capture millions of email and instant messenger address book contacts. Close to 450,000 Yahoo address books, the documents said, were collected in a typical day, compared to tens of thousands for Gmail, Hotmail or Facebook by comparison, making Yahoo the biggest target by far.

The EFF’s Schoen said he has seen the tide start to shift, especially with some startups deploying SSL from the moment they offer a service to customers. But he cautions that companies that do so take care to encrypt an entire site, not just pages that handle credit card transactions, for example. Research such as SSL Strip from Moxie Marlinspike demonstrates that it is possible to hop on an HTTP network stream, look for HTTPS links and essentially manipulate those links and redirect them to HTTP pages controlled by the attacker.

“There are challenges to converting an existing service,” Schoen said. “Some are rolling HTTPS from the outset, which is nice. We’re starting to see people try to articulate the idea that this is the industry standard or expected norm.”

It is, however, a minimal standard. Technologists say there is more that Internet giants can do to protect communications. Perfect Forward Secrecy, for example, is a conversation starter; it guarantees that if a master encryption key is ever compromised, sessions would remain private. HSTS or HTTP Strict Transport Security, is another option where a browser header instructs a browser to use SSL only; Twitter and PayPal are two places where HSTS is used regularly.

Schoen said that enabling Perfect Forward Secrecy requires computational resources and additional costs, but he also said that those were some of the same arguments companies used as a counter to enabling HTTPS. However, Schoen said, computers are getting faster and there’s less of a CPU resource burden today than a half-dozen years ago.

“There’s been a lot of speculation about Moore’s Law and how long that curve will last,” Schoen said. “But as long as we are on the curve for the time being, cryptography that seemed so intensive may not be so if we look again. Five or six years ago, that might have seemed like a huge computational burden, but today that might not be because CPUs are a lot faster.”

Yahoo, like the mediocre baseball manager, can’t win for losing. Tough financial times may have forced them to layoff engineers in the past few years, forcing the company to re-prioritize its to-do list and put revenue-generating projects at the top of the list.

“It isn’t something that takes five minutes to deploy; it does cost money,” Soghoian said of these additional measures. “But if you’re going to operate an email service in 2013, you need to keep it secure and if you’re not interested in keeping communication secure and private, then you shouldn’t be in the email service business. Other companies are willing to do that. Google operates a profitable email service that is encrypted. Yahoo should too. But Yahoo does not care and thought its customers would not notice.”

Suggested articles