We were thrilled to hear today that Yahoo is carrying through a concerted effort to protect users across its sites and services by rolling out routine encryption in several parts of its infrastructure. The company's statement announced that, among other things, it now encrypts traffic between its data centers, makes secure HTTPS connections the default for some web sites, and has turned on encryption for mail delivery between Yahoo Mail and other email services that support it (like Gmail).
We've long asked Internet companies to take some of these steps, most recently through ourEncrypt the Web scorecard. We're updating that scorecard to give Yahoo credit for two new security measures (forward secrecy and STARTTLS). In light of reports that governments have directly tapped Internet backbones to obtain secret access to millions of people's private communications, it's become clear that routine use of encryption is an important basic measure for privacy and security online. Without it, any network operator (from the smallest wifi node to the largest Internet backbone companies), or anyone who can coerce or infiltrate one, can easily see the intimate details of what people are saying online.
Yahoo's use of encryption will make that harder. Additionally, the company's decision to adopt forward secrecy for encrypted connections means that the contents of old encrypted connections should stay private even if Yahoo loses control of its own secret keys.
It's important to note that all these uses of encryption protect only communications in transit between a user and Yahoo's servers, or within different parts of Yahoo's own infrastructure. That means it doesn't in any way change Yahoo's ability to turn over user data in response to government requests. It makes it more difficult for any government to use its access to network infrastructure to secretly intercept users' communications, but governments can still come directly to Yahoo with demands for access to user data.
We commend Yahoo for taking these steps, and hope today's announcements will continue to foster a recognition that encryption is an industry standard.