Yahoo CISO Says Now Encrypting Traffic Between Datacenters, More Encryption Coming
Posted on April 3, 2014 by Kara Dunlap in Security
Yahoo’s recently-appointed VP of Information Security and CISO said that, as of this week, Internet traffic moving between Yahoo’s data centers is now fully encrypted.
Alex Stamos, who joined the company last month and has been tasked with securing Yahoo’s online products, provided a status update Wednesday on the company’s initiatives to protect users and their data.
The efforts by Yahoo are the latest as Internet and technology firms scramble to boost their security efforts and up encryption after Edward Snowden began to leak classified details on the scope of US government spying.
According to Stamos, the company has accomplished the following:
• Made Yahoo Mail more secure by making browsing over HTTPS the default.
• Has enabled encryption of mail between its servers and other mail providers that support the SMTPTLS standard.
• The Yahoo Homepage and all search queries that run on the Yahoo Homepage and most Yahoo properties also have HTTPS encryption enabled by default.
• Implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many the company’s global properties.
He also said that users can initiate an encrypted session for a variety of the company’s news and media services by typing “https” before the site URL in their web browser.
“One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure,” Stamos wrote in a blog post. “Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem.”
A new, encrypted, version of Yahoo Messenger will be available in the months ahead, Stamos said.
“In addition to moving all of our properties to encryption by default, we will be implementing additional security measures such as HSTS, Perfect Forward Secrecy and Certificate Transparency over the coming months,” Stamos continued. “This isn’t a project where we’ll ever check a box and be “finished.” Our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy.”
Late last month, Google announced that its Gmail service would use added encryption to protect against eavesdropping and keep messages secure.
In December 2013, a group of US-based Internet giants called on Washington to overhaul its surveillance laws. In an open letter to President Obama and Congress, the tech giants called on Washington to lead the way in a worldwide reform of state-sponsored spying.
In January, President Barack Obama announced plans to curtail the reach of massive phone surveillance sweeps by the NSA, but said bulk data collection must go on to protect America from terrorists.
In December, Microsoft said it would “pursue a comprehensive engineering effort to strengthen the encryption of customer data” in order to protect its customers from prying eyes and increase transparency.