Yahoo to deploy SSL by default for webmail

Yahoo Mail will be protected by secure sockets layer encryption by default from January.

Communication products vice president Jeffrey Bonforte confirmed reports by the Washington Post that default SSL would hit users on 8 January.

“Yahoo Mail users can already enable HTTPS (SSL), a communications protocol that securely encrypts your information and messages as they move between your browser and Yahoo's servers,” Bonforte wrote, adding that the feature could be switched on under the security tab in Yahoo Mail settings.

“Our teams are working hard to make the necessary changes to default https connections on Yahoo Mail, and we look forward to providing this extra layer of security for all our users."

In the past few years, other tech giants managing email accounts, like Google and Microsoft, set the encryption measure to default for Gmail and Outlook users.

Security professionals said via Twitter Yahoo was slow to move to SSL.

But American Civil Liberties Union principal technologist Chris Soghoian (@csoghoian) said Yahoo's move would make the many recently publicised data slurping efforts by the US National Security Agency harder to achieve.

"Yahoo turning on HTTPS by default will make mass collection harder for the NSA, but also China, Iran," Soghoian said.

CipherCloud founder Pravin Kothari said SSL should be deployed as 4096-bit.

“On SSL itself, it's ideal to use 4096-bit or higher SSL encryption as cryptographers have warned that 2048-bit, which most of the internet still uses, can be broken in 10 to 20 years by advanced computing,” Kothari said.

“Then, there's the flip side of the encryption coin to consider ... SSL doesn't protect information stored on email servers. Because that information is in clear text, accounts are still vulnerable to breaches and cloud surveillance."

This article originally appeared at scmagazineus.com