Computer and Library Learning (Archived)

(Enable
SSL HTTPS Encryption on Yahoo! Email Account)

Yahoo! was the latest of the large web-based email
providers to announce that it will be rolling
out default SSL (Secure Sockets Layer) connections
(i.e. https:// or HTTP
Secure (HTTPS)) for all Yahoo! email accounts beginning on
January 8, 2014. Encryption of email sessions is an important security measure
for protecting personal information. SSL
encryption depends on cryptographic protocols to scramble data from one source
to another – knowing the encryption key is necessary for
decoding data.

Gmail and Outlook.com (formerly Hotmail.com)
already offered this feature as
a default setting in 2010 and 2012 respectively, whereas Yahoo! gave
users the option of selecting SSL by changing the settings. (Facebook
began offering SSL as the default in August 2013 but offered
SSL as an option in early 2011.) (To
change to SSL for Yahoo! mail before the January 8, 2014 switch-over, a user simply logs
into her/his account, clicks on the gear icon in the top right corner, selects
“Settings”, clicks on “Security”, then clicks the check box next to the
statement “Make your Yahoo mail more secure with SSL”, and finally clicks on
“Save”.)

Currently, Yahoo’s default setting is to offer users
account log-in with SSL but then change to an unencrypted session for email
account usage. This makes email accounts vulnerable to hacking over unencrypted
wi-fi networks. This case in point was made by the Firefox add-on Firesheep in 2010
that allowed the hijacking of account sessions (known as sidejacking)
over an open wi-fi connection.

In addition to playing catch up with its
competitors, Yahoo! also announced its intention to implement 2048-bit
encryption keys as an additional layer of security.
But is this enough? Many people have been following the developing story
surrounding the United States’ National Security Agency (NSA) that it has been collecting contact lists from email
accounts, instant messaging (IM), and social networks
from Americans and other people around the world. On one particular day in
2012, the NSA collected 444,743 email
address books from Yahoo!, compared to 105,068 from
Hotmail/Outlook, 82,857 from Facebook, 33,697 from Gmail, and 22,881 from other
unnamed sources. NSA whistleblower Edward Snowden recently claimed that the NSA’s program called
XKeyscore enabled him to read anyone’s email if he had that person’s email
address, although leading Congressional politicians have
denied that. Possible solutions might include using perfect forward secrecy (PFS)
as a default setting.

Google employed “forward secrecy” as a default (also
referred to as perfect forward secrecy) in late November 2011
with the intent being to avoid retrospective decryption of information. A
secured website would denote a padlock in the address box to denote access
using an encrypted connection. One’s computer and the server agree to use a
shared encryption key which is unique for each computer connecting to a
particular server. A deficiency with many websites is that shared encryption keys are sent to
the server using the server’s public encryption key which is then decrypted by
the server’s sole private decryption key. If the private
decryption key is compromised, then it is possible to decrypt data
communications. With (perfect) forward secrecy engaged,
some information needed to decrypt messages is never stored and short-term at
best.
Private keys associated with a
connection are not held in continuous storage. Even if a
secret key is compromised, only new encrypted information would be vulnerable.
The web server operator would have an opportunity to detect the security
breach, revoke the compromised security key, and create a new one.

Some
websites have
resisted the implementation of forward secrecy with HTTPS because
the process is more CPU-intensive than its typical HTTP or HTTPS counterparts. Some
websites allow HTTPS connections but do not make them the default choice. The Electronic Frontier Foundation (EFF)
recommended that Firefox browser users could facilitate defaulting to encrypted
connections by using EFF’s Firefox extension called HTTPS Everywhere. However,
HTTPS Everywhere will only work on a website if that
website has an HTTPS option.

In
September 2013, Netcraft published an article entitled “SSL:
Intercepted today, decrypted tomorrow” that reported on browser
support for perfect forward secrecy. Only 0.29% of Internet Explorer’s SSL
connections offered PFS (Elliptic Curve). Safari’s SSL connections were 1.38%
PFS (Elliptic Curve) and 0.78% PFS (Standard). 33.29% of Opera’s SSL
connections were PFS (Standard), while Google Chrome SSL connections resulted
in 32.23% PFS (Standard) and 1.38% PFS (Elliptic Curve), compared with 31.24%
PFS (Standard) and 2.38% PFS (Elliptic Curve) for Firefox’s SSL connections.
Netcraft also offered browser extensions for Firefox, Google
Chrome, and Opera that
will indicate whether
or not PFS is supported on a particular website. Google
noted in November 2011 that Google
services would use PFS Elliptic Curve Diffie-Hellman (ECDHE) as the default
with only Firefox and Google Chrome initially as Internet Explorer did
not support ECDHE in combination with RC4, the
most widely used software stream cipher.

On December 10, 2012, Outlook.com announced that it
would use extended validation (EV) certificates
issued by Symantec that required a minimum of 2048-bit
encryption. In May 2013, Google announced its intention to
upgrade all of its SSL Certificates to 2048-bit keys from 1024-bit keys
beginning on August 1^st and finishing by the end of 2013. Like
Yahoo’s move to 2048-bit keys, Google’s move followed the recommended 2011 guidelines
from the United States’ Department of Commerce’s National Institute of
Standards and Technology (NIST) with the intent of developing
improved defenses against potential future risks.
On July 31, 2013,
Facebook also stated its intention to use Transport Layer Security (TLS)
(the successor to SSL), 2048-bit keys, and like Google,
Elliptic Curve Diffie-Hellman
(ECDHE) key exchange that relies on ephemeral (or short-lived) keys that are
specific to a particular connection session in order to share a secret over an
insecure channel.   

The security and
encryption story is far from finished…