The Washington PostDemocracy Dies in Darkness

Yahoo to make SSL encryption the default for Webmail users. Finally.

Yahoo Inc Chief Executive Marissa Mayer (Pascal Lauener/Reuters/File)

Beginning Jan. 8, Yahoo will enable encryption by default for users logging into its Web-based mail service, the company has told The Washington Post.

"Yahoo takes the security of our users very seriously," the company said in an e-mailed statement. Yahoo began offering users the option to use the SSL encryption standard earlier this year. The option "encrypts your mail as it moves between your browser and Yahoo's servers," according to the company.

In January, the option will be switched on for all Yahoo users.

Yahoo has lagged behind its major competitors in offering encryption for its Webmail service. Google offered SSL as an option for Webmail in July 2008 and made it the default for Gmail Web users in early 2010. It became an option for Microsoft's free Webmail service Hotmail in November of 2010 and became the default for Webmail logins during the switch to in July of 2012. Social networking site Facebook started offering SSL as an option in November 2011 and made it the default for U.S. users in February of this year and for the world this past July.

Amie Stepanovich, Director of the Domestic Surveillance Program at the Electronic Privacy Information Center commended Yahoo for the move. "It's always a positive thing when companies take steps to protect their customers' information," she said, but noted,  "unfortunately, this often only happens after a harmful event."

These moves to encryption for free Webmail services constitute a major privacy gain for users, but there are other circumstances where data associated with e-mail could be less secure. For instance, the e-mail apps on some mobile devices may not support the SSL encryption standard, exposing users on those devices to possible snooping by third parties.

In addition, while Yahoo is finally implementing SSL by default, Google and Facebook are already moving on to higher levels of security, with longer key lengths and 'perfect forward secrecy' in order to keep the prying eyes away.

Christopher Soghoian, the Principal Technologist and a Senior Policy Analyst with the American Civil Libertes Union's Speech, Privacy and Technology Project, said he's glad Yahoo has finally implemented encryption. But he expresses disappointment it took them so long.

"It is unfortunate that it has taken Yahoo four years to do what Google was able to do in 2010: deploy HTTPS encryption, for all users, by default," he argued. "Yahoo's glacial progress on this issue has been a gift to intelligence agencies around the world, who have been able to perform massive, dragnet-surveillance of Yahoo users' unprotected emails."

The ACLU, Electronic Frontier Foundation, Reporters Without Borders, and other organizations had long asked the company to implement SSL encryption for Webmail. But nonprofit advocates weren't the only people who had urged Yahoo to make the shift: Sen. Chuck Schumer (D-N.Y.) sent a letter to several companies that did not use SSL, including Yahoo, asking them to change their practices in light of privacy concerns in February of 2011 — nearly three years before Yahoo expects to make the switch.