Yahoo’s encryption has been mocked for being weaker than tea made using a recycled teabag.
Yahoo has started to automatically encrypt connections between users and its email service, something which Gmail has been doing for four years.
Yahoo Mail had support for full-session HTTPS — SSL/TLS encryption over HTTP — since late 2012, but users had to opt in to use the feature. Now the outfit has said that it will enable encryption for everyone by default by January 8.
Writing in his bog, Jeff Bonforte, senior vice-president of communication products at Yahoo said that anytime you use Yahoo Mail it will be encrypted by default and protected with 2,048 bit certificates.
While this is jolly good, Ivan Ristic, director of application security research at security firm Qualys, which runs the SSL Labs and SSL Pulse projects told IT World that Yahoo’s ‘s HTTPS implementation is inconsistent across servers and even technically insecure.
For example, some of Yahoo’s HTTPS email servers use RC4 as the preferred cipher with most clients. RC4 is weak and people should not use it, Ristic relayed.
While other servers, like login.yahoo.com, primarily use the AES cipher, but do not have mitigations for known attacks like BEAST and CRIME, the latter targeting a feature called TLS compression that login.yahoo.com still has enabled.
None of Yahoo’s servers supports a key feature that makes decryption of previously captured SSL traffic impossible even if the server’s private key is compromised in the future. Yahoo servers use traditional RSA key exchange.