After the release of NSA Secret spying over Internet communications, I am expecting from all tech companies to make surveillance significantly harder.
Yahoo has HTTPS encryption support since late 2012, but users had to opt in to use the feature. Documents revealed by the Edward Snowden shows that the NSA secretly accessed data from several tech giants, including Yahoo, by intercepting unencrypted Internet traffic in a program called Muscular.
As promised back in October 2013, Yahoo has finally enabled the HTTPS connections by default for their users, that will now automatically encrypts the connections between users and its email service.
Jeff Bonforte, senior vice-president of communication products at Yahoo announced in a blog post:
It is 100% encrypted by default and protected with 2,048 bit certificates. This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail.
HTTPS by default is really a good news for Yahoo users, that will defend them against the man in the middle attacks, but still this is not enough to protect users from NSA breach.
Ivan Ristic, Security researcher at Qualys told ITworld that some of the Yahoo's HTTPS Email servers use RC4 as the preferred cipher with most clients, which is weak in nature. Also other servers, including login.yahoo.com, primarily use the AES cipher, which are vulnerable to BEAST and CRIME attacks.
The new enhancement will now boost-up the privacy and security for Yahoo users, whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP. Other major webmail providers, including Gmail has already added HTTPS by default from last few years.