Yahoo HTTPS mail not a moment too soon, nor too late

I remember sitting with a Yahoo employee in 2009, talking about the lack of protective encryption on Yahoo’s Web mail accounts. Like many, the employee had been caught up in the news of how Iranians were using the Internet to document and protest the presidential elections in that country, and had grown worried about the possibility of governments intercepting Yahoo customer’s emails without due process. As an immigrant from a repressive regime, he told me, he was aware of how much danger this posed. He said he was going to raise the topic internally.

A year later, I met him again. Turning on “https” or secure sockets layer (SSL) encryption for Yahoo Mail, it was clear, was going to be a fairly major undertaking. The infrastructure that Yahoo had built to cope with millions of users was not easy to convert to support “https” connections. He had heard that the proposal reached board level before being put to one side. His company, he felt, had let him down.

Three years later, Yahoo has a new board, and a new chief executive. Within the Global Network Initiative and without, human rights groups had repeatedly encouraged Yahoo to protect its mail users from spying. Late last year, we got word from Yahoo that they were experimentally rolling out SSL as an option. Last week, the company quietly revealed its availability to all users.

I can’t say that the change in priorities came about as a direct result of Yahoo’s new leadership, but its CEO freely acknowledged that public pressure played a role.

The announcement was quickly buried in more bad news for Internet security, however. Google announced Thursday that users in Turkey were being tricked into using a fake certificate for their connections to Google’s own email and other secure services. The trick being used is one that could potentially remove the protection of any “https” site. Then on Monday, reports came through of a new, unconnected, security vulnerability in Yahoo Mail.

In the face of flaws both in Yahoo’s software and the nature of the SSL infrastructure itself, is there any value to Yahoo’s change of heart, and to the effort put into switching to an encrypted service?

I’d strongly argue that there is. The computer security staff at large Internet companies have a good idea of the sort of attackers from which they need to protect users, and strategies they can use to do so. That list of common foes won’t be the same as the attackers that dissident and independent journalists fear. Yahoo and Google expect cybercriminals, not local law-enforcement or corrupt officials. But many of the protections that Internet companies can erect to protect the general consumer can also protect vulnerable reporters.

Google quickly spotted the fraudulent certificate and publicly warned companies like Apple, Mozilla, and Microsoft to identify and reject it. Yahoo fixed the temporary flaw in its software. Both of these steps protected the general userbase–and it protected the most vulnerable users.

The best security measures are the ones which protect all users, from all attacks. Sometimes companies cannot commit to such a high level of protection. But the average user is better served when they do.  If you advocate for that level of protection, you’re also helping those who might face more determined and more powerful adversaries. And there is the side-effect of respecting the wishes of your most diligent employees: those who speak up on behalf of your customers.

In the meantime, whether you’re a reporter under a repressive regime or any other Yahoo mail user, you should turn on SSL encryption now. And don’t click on any strange links.