With a short blog post, Yahoo’s SVP of Communication Products Jeff Bonforte has announced that the company has started encrypting all connections between their users and Yahoo Mail.
“Anytime you use Yahoo Mail – whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP- it is 100% encrypted by default and protected with 2,048 bit certificates,” he wrote. “This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail.”
But Ivan Ristic, Director of Engineering at Qualys and founder of SSL Labs, has tested some of the servers and says that the HTTPS implementation is not consistent on all of them.
Some of Yahoo’s HTTPS email servers use a weak preferred cypher (RC4); some the AES cypher but haven’t implemented mitigations for known attacks against it (for example BEAST and CRIME); and none of the company’s servers he checked support forward secrecy (something that Google already did way back in 2011, and Facebook and Twitter did last year).
“I think we should accept that Yahoo needs time to get their servers in order when it comes to encryption, but perhaps they need to be more transparent about what they’re planning and doing,” Ristic said to Lucian Constantin. “For example, I would have preferred to see something along the lines of: “We haven’t done these other things yet, but here’s our schedule for addressing them’.”
Well, at least Yahoo has finally started doing something about it – let’s hope the will fix these problems sooner rather than later.