Yahoo introduces new encryption methods to protect users from spying
“We implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many of our global properties such as Homepage, Mail and Digital Magazines,” Alex Stamos, Chief Information Security Officer, wrote in his Tumblr blog post.
Stamos, a well-known security researcher and a critic of NSA surveillance, joined Yahoo just a few weeks ago as part of the company's anti-snooping crusade.
According to Stamos, the users can start an encrypted session for Yahoo News, Yahoo Sports, Yahoo Finance, and Good Morning America by just typing ‘https’ before the site URL in the web browser.
The company has also encrypted search requests made from its homepage.
“The Yahoo Homepage and all search queries that run on the Yahoo Homepage and most Yahoo properties also have HTTPS encryption enabled by default,” said Stamos.
The company’s decision to encrypt all information that moves between its data by March 31 was revealed in November, 2013.
Meanwhile, Yahoo has far-reaching plans to protect its users and their data “through the deployment of encryption technologies.”
According to Stamos, there are also many issues to focus on in the coming months, including “working and encouraging thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure.”
“Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem,” he said.
Among the updates which are anticipated in the coming months is a new encrypted version of Yahoo Messenger to stop mass government spying on webcam chats.
“Our goal is to encrypt our entire platform for all users at all time, by default,” said Stamos.
Yahoo, with over 800 million users worldwide, is also planning to implement additional measure such as HSTS, Perfect Forward Secrecy and Certificate Transparency. However, Stamos explains that this is not a project “where we’ll ever check a box and be ‘finished’.”
“Our fight to protect our users and their data is an on-going and critical effort,” he said. ”We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy.”
However, Yahoo encryption efforts still lag behind those of Google. Stamos says many of Yahoo services rely on content and ads provided by thousands of other companies, including some that aren't convinced that they need to encrypt, as cited by AP.
Yahoo, as well as other major technology companies such as Google and Microsoft has made online security a top priority amid a series of revelations about US government programs that have hacked into users’ personal information. The bulk collection program was first disclosed in June by former NSA contractor and CIA employee Edward Snowden.
According to a secret audit, millions of records were being sent every day from Yahoo and Google internal networks to data warehouses at the NSA’s Fort Meade, Maryland headquarters. The NSA's principal tool to exploit the Google and Yahoo data links is a project called MUSCULAR, operated jointly with the agency's British counterpart, Government Communications Headquarters (GCHQ).
Earlier in March, Google encrypted Gmail to safeguard against NSA snooping. Now Gmail uses an encrypted HTTPS connection when you check or send email after reports that the US government had been secretly infiltrating the lines that transfer information overseas.
However, the US technology companies turned not as innocent as it may seem at first sight.
On March 20, NSA general counsel Rajesh De said that US technology companies, including Yahoo and Google, were fully aware of the surveillance agency’s data collection. When asked during a hearing with the Privacy and Civil Liberties Oversight Board whether data collection under Section 702 of the FISA Amendments Act was done with the full knowledge and assistance of any company from which information is obtained, De responded, “Yes.”
Meanwhile, the companies implicated in the program – including AOL, Apple, Google, Facebook, Microsoft, and Yahoo – denied knowledge of NSA access to customer data.