Yahoo to encrypt webmail sessions by default starting January

Yahoo plans to make HTTPS connections standard for all users starting Jan. 8

Yahoo will start encrypting the webmail sessions of its users in early 2014 by making HTTPS (Hypertext Transfer Protocol Secure) standard for all Yahoo Mail connections.

Security experts, privacy advocates and users have asked Yahoo for this feature for a long time. Other major webmail providers already offer it.

In November 2012, the Electronic Frontier Foundation with other privacy, security and human rights organizations, sent a letter to Yahoo CEO Marissa Mayer asking the company to add HTTPS support to its communication services, including email and instant messaging.

HTTPS, which combines the HTTP Web communications protocol with the Secure Sockets Layer (SSL) encryption protocol, is widely used to secure connections between Web users and websites, and prevents sensitive data from being intercepted and read by unauthorized parties while in transit.

Yahoo started rolling out a new Web interface for Yahoo Mail late last year that provided support for full-session HTTPS, but only as an option. In order to enable the feature, users can go in their email account settings and check the "Use SSL" box in the "Security" section.

"Starting January 8, 2014, we will make encrypted https connections standard for all Yahoo Mail users," Jeffrey Bonforte, Yahoo's senior vice president of communication products, said Monday in a blog post. "Our teams are working hard to make the necessary changes to default https connections on Yahoo Mail, and we look forward to providing this extra layer of security for all our users."

The move comes at a time when there is increased discussion about privacy and security online following revelations that the U.S. National Security Agency and the intelligence agencies of other countries are running extensive electronic surveillance programs.

Some of the NSA programs revealed by documents leaked by former NSA contractor Edward Snowden involve the upstream interception of Internet traffic as it passes through global networks, as well as data collection from online services providers including Yahoo, Microsoft, Google, Apple, Facebook, AOL and others.

The Washington Post reported Tuesday that the NSA collected online address books in bulk from Yahoo, Hotmail, Facebook, Gmail and other email and chat programs at Internet access points controlled by foreign telecommunications companies and allied intelligence services.

This type of upstream data collection is something that HTTPS can potentially prevent, as long as the implementation is strong enough. The service provider might be later compelled to hand over the decrypted data at its end, but at least in that case the interception would be done with its knowledge.

In addition to preventing bulk data collection by government agencies, HTTPS can also prevent hacker attacks, like the theft of authentication cookies over insecure wireless networks or through cross-site scripting attacks.

"As one of the world's most popular free webmail services providers, Yahoo gained unwelcome attention from cybercriminals in the past months resulting in XSS attacks that ended in cookie theft and subsequent account abuse," said Bogdan Botezatu, a senior e-threat analyst at Bitdefender. "The introduction of SSL will likely limit this behavior, among other dangers."

Botezatu believes that all types of digital communications should have been switched to HTTPS/SSL a long time ago. However, even though Yahoo will be late to enable it compared to other webmail providers, its decision is still salutary, he said.

Google implemented full-session HTTPS as an optional setting in Gmail back in 2008 and made it standard at the beginning of 2010. Microsoft added the option in Hotmail in November 2010 and enabled it by default for its webmail service in 2012.

Twitter starting rolling out HTTPS by default in August 2011 and Facebook in November 2012. Both services supported HTTPS as an option since early 2011.

The next step for Yahoo would be to switch Yahoo Messenger connections to SSL by default as well, Botezatu said. "In some regions, Yahoo Messenger usage still outnumbers other instant messaging clients, and customers rely on it for all sorts of communication, from personal to business, but these conversations are still sent in plain text, which makes it easier to snoop on by unauthorized parties."

Join the PC World newsletter!

Error: Please check your email address.

Tags online safetyencryptiondata protectionprivacybitdefenderFacebookAOLAppleYahooGoogleMicrosoftsecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial® BX200 SATA 2.5” 7mm (with 9.5mm adapter) Internal Solid State Drive

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

D-Link PowerLine AV2 2000 Gigabit Network Kit

Learn more >

Xiro Drone Xplorer V -3 Axis Gimbal & 1080p Full HD 14MP Camera

Learn more >

ASUS ROG Swift PG279Q – Reign beyond virtual world

Learn more >

D-Link TAIPAN AC3200 Ultra Wi-Fi Modem Router (DSL-4320L)

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >


Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

ASUS VivoPC VM62 - Incredibly Powerful, Unbelievably Small

Learn more >

Stocking Stuffer

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Best Deals on PC World

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?