Also Read - Yahoo Groups to shut down from December 15
Internet giant Yahoo has reportedly started automatic encryption of emails in a bid to thwart government surveillance as revealed in the controversial NSA leaks.
Yahoo Mail had support for full-session HTTPS-SSL/TLS encryption over HTTP-since late 2012, but users had to opt in to use the feature. Also Read - WordPress owner Automattic buys Tumblr from Verizon
The company has now announced enabling auto-encryption by default for all users, a security measure already in place at Google since four years, PC World reports. Also Read - Yahoo to pay USD 117.5M in latest settlement of massive breach
Senior vice-president of communication products at Yahoo, Jeff Bonforte said that anytime one uses Yahoo Mail, through web, apps or via IMAP, POP or SMTP, the content is 100 percent encrypted by default and protected with 2,048 bit certificates.
Bonforte explained that the encryption extends to emails, attachments, contacts, as well as Calendar and Messenger in Mail.
However, director of application security research at security firm Qualys, Ivan Ristic has pointed out that Yahoo”s HTTPS implementation appears to be inconsistent across servers and even technically insecure in some cases.
According to the report, it was also found that none of the servers checked by Ristic support forward secrecy, a feature that makes decryption of previously captured SSL traffic impossible even if the server”s private key is compromised in the future.
Contrarily, rival Google”s SSL configuration for Gmail supports forward secrecy since 2011 and Facebook and Twitter have also implemented it.
Ristic opined that Yahoo needs time to get their servers in order when it comes to encryption, but they need to be more transparent about what they”re planning and doing, the report added.