The main cause for this exigency is that the service was recently hacked via an XSS exploit, which Yahoo has since patched, and now we are learning the company has also quietly rolled out an HTTPS option (finally). In fact, Yahoo acted so swiftly that without publicly announcing the move, the company has added the option of using an SSL connection to access its webmail service.
At many instances, Yahoo’s delay in rendering a Secure Sockets Layer (SSL) connection for email sessions has been criticized by privacy groups that argue the cryptographic protocol help prevent hackers from reading messages sent over a Wi-Fi network.
However, the Electronic Frontier Foundation, which wrote a letter back in November urging Yahoo to implement SSL, complimented Yahoo for catching up with rivals. “We are really glad that Yahoo is starting 2013 right by letting Yahoo Mail users use HTTPS to access their email accounts security,” the digital rights group said in a statement.
More so, if you use Yahoo Mail, you should activate the feature manually now (unfortunately it is not on by default). To enable the SSL option, click the gear wheel in the upper right corner, select “Mail Options,” go to “Advanced Settings,” and click “Turn on SSL” as shown in the screenshot below:
While not everyone has the feature active as yet, and it has come very late to the party, the EFF has nevertheless praised Yahoo for the move: Thanks to Yahoo! for taking this important step to protect its users’ privacy and security. And thanks to everyone engaged with our letter for helping emphasize the importance of this security measure (particularly to Front Line Defenders, the Tactical Technology Collective, and Aspiration for bringing many of us together).
“HTTPS, a combination of the HTTP and SSL/TLS protocols, encrypts the traffic between Web clients and servers and prevents potential attackers from intercepting and inspecting potentially sensitive communications,” writes Computerworld’s Lucian Constantin. “The lack of full-session HTTPS can be exploited by attackers to hijack accounts and intercept traffic on open wireless networks and also enables some governments that control the Internet infrastructure in their countries to spy on the private communications of political activists, members of the press and other individuals.”