Yahoo Unveils Massive New Encryption Scheme to Protect Users
Alex Stamos doesn’t play when it comes to the NSA.
In his first big hammer drop as Yahoo’s new cybersecurity watchdog, Stamos announced yesterday that he’s overseeing a massive “around the clock” effort to encrypt 100 percent of the tech giant’s traffic, including the private data of its 800 million-plus users -- “at all time[s], by default.”
On the heels of reports that the NSA allegedly secretly snooped around thousands of its user accounts, the Sunnyvale, Calif.-based company pledged to encrypt all of its data centers by March 31. Stamos and the “hundreds of Yahoos” in his charge made that vow a reality. Not bad for only four weeks on the job.
The San Francisco-based veteran information security expert and outspoken NSA critic officially announced the company’s newly bolstered encryption efforts on its Tumblr page yesterday.
And Stamos made no bones about why the massive encryption project -- which seriously steps up security for Yahoo data center traffic, Yahoo Homepage search queries, Yahoo! Mail and much more -- is going down in the first place.
“We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy,” Stamos wrote in a powerful, telling statement curiously buried as the last sentence in his Tumblr post.
Make It Stop: Yahoo Reports Coordinated Email Hack
It was clearly a dig at the NSA’s controversial PRISM surveillance program, which Yahoo recently reported requested to poke around in roughly 30,000 to 40,000 of its user accounts (between January and June last year) via Foreign Intelligence Surveillance Court (FISC) classified court orders. Yahoo arch rival Google said it was on the receiving end of FISC requests for information from approximately 9,000 and 10,000 of its user accounts around the same time.
Here is Stamos’s complete bulleted list detailing Yahoo’s new beefed-up encryption efforts, directly from his Tumblr update:
Traffic moving between Yahoo data centers is fully encrypted as of March 31.
In January, we made Yahoo Mail more secure by making browsing over HTTPS the default. In the last month, we enabled encryption of mail between our servers and other mail providers that support the SMTPTLS standard.
The Yahoo Homepage and all search queries that run on the Yahoo Homepage and most Yahoo properties also have HTTPS encryption enabled by default.
We implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many of our global properties such as Homepage, Mail and Digital Magazines. We are currently working to bring all Yahoo sites up to this standard.
Users can initiate an encrypted session for Yahoo News, Yahoo Sports, Yahoo Finance, and Good Morning America on Yahoo (gma.yahoo.com) by typing “https” before the site URL in their web browser.
A new, encrypted, version of Yahoo Messenger will be deployed in coming months.
Stamos’s work doesn’t end with this list, though. Not as long as cyber attackers and government spies seek to snoop around Yahoo’s insides, which we don’t expect to stop any time soon.
"This isn't a project where we'll ever check a box and be 'finished,'" he said. "Our fight to protect our users and their data is an on-going and critical effort."
Yahoo did not immediately respond to a request for comment.