Skip to main content

Too little, too late? Yahoo Mail to encrypt users' data

Yahoo has announced that its free email service Yahoo Mail will feature SSL encryption for the first time as part of a sprawling redesign effort.

Users who have complained about the reduction of the previously unlimited storage, the loss of in-browser tabs, and the spate of glitches that have hampered the revamp of the webmail provider, will at least be pleased that their emails will now be more difficult for hackers and nosy government agencies to intercept.

SSL, or secure sockets layer encryption, relies on cryptographic protocols to scramble data passing between two parties, meaning that only someone with the encryption key can decode the data upon arrival. Most security experts consider it a crucial component of any basic Internet security protocol.

SSL has been available to users of Yahoo Mail as an option, but it has not been made the default setting. Google made SSL the default encryption model of its Gmail service in 2010 and so has Hotmail. Yahoo is the only provider not to set SSL as a default.

Democratic New York senator Chuck Schumer even sent Yahoo a letter, along with other companies who didn't use SSL, asking it to encrypt its communications. That was back in February of 2011.

So, better late than never?

No: the timing couldn't be worse. The Washington Post yesterday reported that the NSA is routinely gathering the contact lists of millions of Internet users, and that it collects twice as much information from Yahoo as from any other provider. This is probably due to the shocking ease with which users of Yahoo Mail can have their data intercepted.

The announcement will also not set many people's minds at ease for the future. In September, leaked documents revealed how the NSA's advanced cryptographers have rendered SSL encryption all but useless. Google and Facebook are already moving on to tougher forms of encryption, employing longer keys and perfect forward secrecy (PFS) as default.

PFS ensures that messages can't be stored and decrypted later on. Yahoo has no plans to implement this more fool-proof mode of encryption.

Right now, the move seems too little, too late. And the encryption won't even come into effect until 8 January 2014.

Image: Flickr (wanderingYew2)