For Yahoo Mail users, it gives a sigh of relief to know Yahoo is taking its Web mail security infrastructure to a higher level. The Sunnyvale company is rolling out SSL encryption as the default security setting for all Yahoo Mail accounts beginning January 8, 2014.
The SSL layer of security works to encrypt the transfer of emails from a computer browser to the host server, in the process securing the communication from eavesdroppers, including the National Security Agency.
Late SSL Adoption
Yahoo’s adoption of SSL encryption began in early 2013, way behind the rest of its competitors in terms of Web mail services such as Google’s Gmail and Microsoft’s Outlook.com. In 2010, Google compulsorily implemented the HTTPS encryption for all Gmail users after launching it in 2008. When Microsoft ditched Hotmail for Outlook in 2012, SSL also became the default security setting.
Other Internet titans followed suit, including social networking site Facebook, online payment PayPal, CRM company Salesforce and giant retailer Amazon.
The SSL encryption, however, is not coming to mobile devices anytime soon due to lack of mobile app support for this standard. Insecure logins remain the norm for mobile users who access their Yahoo accounts through the mobile app, leaving them susceptible to online hackers at large.
Recent Yahoo Security Breaches
While Yahoo’s latest move comes as a welcome development, it is lamentable that it took several major security disruptions on its Web mail service for the company to finally catch up. Yahoo’s cross-site scripting has been one of the vulnerabilities exploited by attackers to break through security walls. The XSS flaw allowed snoopers to steal cookies stored in various computers.
In November 2012, a hacker from Egypt sold that exploit for $700 to hijackers, exposing thousands of users to malicious links and websites. Still, 400 million Yahoo Mail users fell into another DOM-based XSS loophole, which was discovered by security researcher Shahin Ramezany.
In early 2013, a deluge of spam and phishing attacks descended upon New Zealand’s major email service provider, prompting both Yahoo and Telecom to reset nearly 60,000 passwords for users.
How SSL Works
All of these security breaches would have been abated had Yahoo only implemented the SSL encryption long before. SSL protects sensitive data transmitted across the Internet so that only the intended recipient can read the information. Any malicious computer machine between the sender and receiver could view that data in the absence of such encryption tools.
SSL certificate also verifies the information sent to a server. This authentication process helps users to ensure they send their sensitive and personal data only to the right server, not to a harmless machine pretending otherwise. Most companies address this trickery by using a Public Key Infrastructure with SSL certificate from a trusted SSL provider.