This afternoon, Yahoo detailed progress relating to the encryption of its various web services and properties. Most importantly, Yahoo now “fully” encrypts data moving between its data centers, as of March 31.
Yahoo was one of two companies that the NSA targeted with its MUSCULAR program, which tapped data cables between the foreign data centers of Yahoo and Google. A similar program had been found illegal in the United States. Google has made similar efforts to bolster encryption.
For users searching from the Yahoo homepage, and across most of its network, searches that are executed by users will be encrypted by default. Looking ahead, Yahoo will release a new version of Yahoo Messenger that will feature encryption in the “coming months.” This should cover video chatting, as well.
In conversation, Yahoo’s chief information security officer, Alex Stamos, stated that the company’s goal is to have “all data” sent to and from its users safely encrypted. And “invisibly,” importantly, meaning that user friction relating to the changes will be minimal.
Partner companies that can’t hack it and can’t meet Yahoo’s new encryption standards are being shown the door. Stamos stated that some providers of ads to Yahoo Mail have already departed, as they couldn’t meet new standards.
On the government front, Stamos stated that Yahoo hadn’t fielded any complaints yet from government entities relating to the changes it was implementing. In a Tumblr post, Yahoo indicated that it intends to implement Perfect Forward Security and Certificate Transparency also in the “coming months.”
Speaking more broadly, Stamos indicated that if a nation state wanted to find some way to get around its new protections and target a single person, it would likely be possible. In his view, Yahoo’s duty is more to protect users against broad, non-targeted surveillance.
Full front and back-end encryption should be the goal for all major technologies in Stamos’s view. Yahoo has taken knocks for lagging on encryption and other data protections. The company seems to be working to turn that around.