Twitter
Facebook
Email Lists
Donate
I remember sitting with a Yahoo employee in 2009, talking about the lack of protective encryption on Yahoo's Web mail accounts. Like many, the employee had been caught up in the news of how Iranians were using the Internet to document and protest the presidential elections in that country, and had grown worried about the possibility of governments intercepting Yahoo customer's emails without due process. As an immigrant from a repressive regime, he told me, he was aware of how much danger this posed. He said he was going to raise the topic internally.
A year later, I met him again. Turning on "https" or secure sockets layer (SSL) encryption for Yahoo Mail, it was clear, was going to be a fairly major undertaking. The infrastructure that Yahoo had built to cope with millions of users was not easy to convert to support "https" connections. He had heard that the proposal reached board level before being put to one side. His company, he felt, had let him down.
Three years later, Yahoo has a new board, and a new chief
executive. Within the Global Network Initiative and without, human
rights groups had repeatedly encouraged Yahoo to protect its mail users from
spying. Late last year, we got word from Yahoo that they were
experimentally rolling out SSL as an option. Last week, the company quietly revealed
its availability to all users.
I can't say that the change in priorities came about as a
direct result of Yahoo's new leadership, but its CEO freely acknowledged that
public pressure played a role.
@dangillmor Thanks, Dan!Twitter spoke and we listened.This was very important and we're doing our best.More to come...
— marissamayer (@marissamayer) January 6, 2013
The announcement was quickly buried in more bad news for
Internet security, however. Google announced Thursday that users in Turkey were
being tricked into using a fake certificate for their connections to Google's
own email and other secure services. The trick being used is one that could
potentially remove the protection of any "https" site. Then on Monday, reports
came through of a new, unconnected, security vulnerability in
Yahoo Mail.
In the face of flaws both in Yahoo's software and the nature
of the SSL infrastructure itself, is there any value to Yahoo's change of heart,
and to the effort put into switching to an encrypted service?
I'd strongly argue that there is. The computer security
staff at large Internet companies have a good idea of the sort of attackers
from which they need to protect users, and strategies they can use to do so.
That list of common foes won't be the same as the attackers that dissident and
independent journalists fear. Yahoo and Google expect cybercriminals, not local
law-enforcement or corrupt officials. But many of the protections that Internet
companies can erect to protect the general consumer can also protect vulnerable
reporters.
Google quickly spotted the fraudulent certificate and
publicly warned companies like Apple, Mozilla, and Microsoft to identify and
reject it. Yahoo fixed the temporary flaw in its software. Both of these steps
protected the general userbase--and it protected the most vulnerable users.
The best security measures are the ones which protect all
users, from all attacks. Sometimes companies cannot commit to such a high level
of protection. But the average user is better served when they do. If you advocate for that level of protection,
you're also helping those who might face more determined and more powerful
adversaries. And there is the side-effect of respecting the wishes of your most
diligent employees: those who speak up on behalf of your customers.
In the meantime, whether you're a reporter under a repressive regime or any other Yahoo mail user, you should turn on SSL encryption now. And don't click on any strange links.
Print
Share
Delicious
Digg
Google
Reddit
StumbleUpon
Subscribe
After I switched over to yahoo's new HTTPS system, I have had an extremely difficult time sending still pictures and short video clips through their email...I never had these problems before.
Tonight, I had to go back to their previous 'unsecure' version, just so I could send out an important video clip...(it was not even half the total information size I should be able to send, but it WOULD NOT ATTACH!)
I returned to the 'secure' version immediately after sending the clip, but I hope they work out these problems quickly, because the new secure email 'DOES NOT WORK' yet, in this regard.
I've been having these problems adding attachments, ever since using their new 'secure' system.
I informed them of the problem about a week ago, but they have not contacted me about the issue.