For years, security and privacy advocates urged Yahoo to implement encryption by default for its e-mail products. Without such encryption, called SSL, users' data could be vulnerable to the prying eyes of hackers and government snooping. But the company delayed announcing their intention to use encryption by default until learning that the oversight may have been contributing to the National Security Agency's ability to scoop up Yahoo users' address books at far greater rates than those of Yahoo's competitors.
Earlier this week, Yahoo finally starting using encryption by default for its Web mail users. In a Tumblr post from senior executive Jeff Bonforte, the company said it is "now automatically encrypting all connections" between users and Yahoo Mail, and that encryption "extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail."
However, security researchers say the ciphers Yahoo is using to implement that encryption on some of its servers is weak. An analysis by SSL Lab shows that Yahoo is using an outdated cipher call RC4 to secure some connections. Matthew Green, a John Hopkins professor who focuses on cryptography, was surprised they used that cipher suite, calling it "archaic."
"RC4 was invented in the 1980s, and it was recently shown that it's even more broken than we thought," he explains. RC4 has long been known to have a theoretical flaw. But earlier this year security researchers were able to demonstrate a way to exploit that weakness. "It's not critically broken, and it won't reveal your information to the Internet at large," says Green, "but it can leak information."
Instead of RC4, Green says, another standard called AES is the recommended best practice for the kind of encryption Yahoo is doing. Yahoo did not respond to inquiries about their encryption choices by press time, but it does appear to be using AES for some, but not all, of its servers.
Green says there a few reasons that some still rely on RC4. It's faster than AES, so it's cheaper because you can encrypt more bits with less processing power. Plus, AES has had its own security problems. Several years ago, there was another class of attack that worked against a specific way that AES was used in SSL implementation causing many to recommend a move to RC4, he says.
"We're in a bad place with Web encryption," Green acknowledges. However, he says, in light of the more recent revelations, RC4 is "the worst of the choices." Still, he doesn't completely blame Yahoo for relying on RC4 for some things because about half the Internet is still using it.
"It's news to a lot of people that RC4 is not secure," Green says, "but at the same time, if you just spent a lot of money to implement encryption, you should be using the recommended best practices."
Others are less forgiving, including Christopher Soghoian, the principal technologist with the ACLU Speech, Privacy and Technology Project who has long criticized Yahoo for not taking quicker action on encryption. "Yahoo has done the bare minimum that enables them to still claim that they're using encryption by default," Soghoian says "This is too little, far too late."
Soghoian says Yahoo lags significantly behind competitors when it comes to security. "Google and Twitter are leading the industry by deploying strong cipher suites that offer perfect forward secrecy and enabling browser security features that protect against account hijacking," he explains. "Yahoo's total failure to deploy these industry standard security technologies clearly demonstrates that [company CEO] Marissa Mayer's 'commitment to protecting users' information' was an empty promise."
By deploying what many experts consider an outdated cipher suite in their HTTPS implementation, Yahoo appears to be struggling to use security practices other companies have already moved beyond. And considering the reason behind the company's decision to finally start protecting users with encryption by default, Green says, Yahoo's choice of RC4 for some servers is all the more surprising.
"Given that Yahoo is doing this because of the NSA, they shouldn't be implementing encryption based on something that is known to be vulnerable."