Yahoo to Encrypt All Email, Data Center Connections

Yahoo plans to implement end-to-end encryption for all of its mail users, giving normal, non-technical users the power to communicate securely and privately.

LAS VEGAS – For a long time, Yahoo failed to implement default encryption across its many web services, lagging behind many of its rivals in terms of security and privacy and attracting the scorn of digital advocacy groups as a result. However, over the last year or so, the company has gotten very serious about encryption very fast, and is rapidly moving toward a place where its adoption of encryption and its security and privacy posture are on par with the likes of Google and Microsoft.

Image via Black Hat USA 2014

Yahoo says it will enable end-to-end encryption for all of its Mail users next year, meaning the contents of user mail will be encrypted from the user’s machine, through Yahoo’s servers and all the way along to the recipient. The company is working with Google on the project and the encryption will be transparent and easy to use.

“Post-Snowden, we have a strain of nihilism that’s keeping us from focusing on what’s real. We as an industry have failed. We’ve failed to keep users safe.”

In a briefing at Black Hat this week in Las Vegas, Nevada, Alex Stamos, the somewhat newly appointed chief information security officer at Yahoo, said that the project is and has been a priority throughout his tenure.

Yahoo is reportedly using a browser plugin Google released for Chrome in June that enables end-to-end encryption of all data leaving the browser. The partnership between Yahoo and Google is important, Stamos explained, because it will ensure that communication between Yahoo Mail and Gmail users are strongly encrypted.

“The goal is to have complete compatibility with Gmail,” Stamos said Thursday.

Other security improvements for Yahoo include the implementation of HSTS (HTTP strict transport security, which allows Web sites to force encrypted connections on a user’s browser, and certificate transparency, which uses public logs of trusted certificate authorities and the certificates they endorse in order to stem website spoofing and other man-in-the-middle attacks.

These moves should significantly improve Yahoo’s marks on the Electronic Frontier Foundation’s annual “Who’s Got Your Back?” and encryption reports. Of course, far more important than that, it means users will be able to communicate securely and privately with far less fear of eaves dropping regardless of their level of technical savvy.

“Post-Snowden, we have a strain of nihilism that’s keeping us from focusing on what’s real,” Stamos said. “We as an industry have failed. We’ve failed to keep users safe.