Newly appointed Yahoo CISO Alex Stamos has announced on Wednesday that the company has begun fully encrypting all the traffic moving between its data centers. The move was more than likely spurred by the revelations that the NSA taps overseas fiber-optic cables used by Google and Yahoo to exchange data stored in their many data centers in the US and abroad.
Yahoo, which has often been criticized for lagging behind other Internet companies when it comes to privacy protection, has additional great news on that front: it recently made HTTPS encryption enabled by default on Yahoo Mail, the Yahoo Homepage, and all search queries that run on it and most Yahoo properties.
“In the last month, we enabled encryption of mail between our servers and other mail providers that support the SMTPTLS standard,” Stamos announced, and added that they have implemented support for TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many of its global properties.
“Hundreds of Yahoos have been working around the clock over the last several months to provide a more secure experience for our users and we want to do even more moving forward. Our goal is to encrypt our entire platform for all users at all time, by default,” he stated.
Other planned improvements in the coming months are a new, encrypted version of Yahoo Messenger (probably a reaction to Optic Nerve), and the implementation of HSTS, Perfect Forward Secrecy and Certificate Transparency.
“Our fight to protect our users and their data is an on-going and critical effort. This isn’t a project where we’ll ever check a box and be ‘finished’,” he concluded.
Yahoo is also expecting similar encryption standards from its partner companies. Stamos has shared with Tech Crunch that some ad providers have already left because they couldn’t meet them.
He also said that all these protection are unlikely to thwart the dedicated efforts of a nation state targeting a specific user, but that they will protect users against bulk surveillance.