Encrypted Yahoo Messenger on its way
Security changes to popular products like Yahoo Messenger are on the way, says Yahoo's first CISO in a year, security industry veteran Alex Stamos.
SAN FRANCISCO -- If Alex Stamos gets his way, Yahoo is about to become one of the most aggressive supporters of encryption.
The new chief information security officer, Yahoo's first in more than year, announced several new implementations of encryption in Yahoo products on Wednesday.
"Preventing surveillance of millions of people at a time is totally within our ability," Stamos told a small gathering of reporters at Yahoo's Flickr offices here.
Yahoo's plans reorient the company from its previously lackadaisical encryption implementation, which had allowed government snooping. "Fifteen years of 'I trust you with my data' is changing," he said.
These changes include fixing a glaring hole in the Web giant's user security: Yahoo Messenger.
Yahoo Messenger, along with ICQ, was one of two instant messaging services that CNET recently discovered were left unencrypted after a decade of exposure. The company plans to release a new version of Yahoo Messenger "in the coming months," Stamos said in a blog post.
Stamos recapped recent encryption improvements by Yahoo. Traffic between Yahoo's data centers was "fully encrypted" by March 31, he said. In January, Yahoo finally made HTTPS, the encrypted Web protocol standard, the default for Yahoo Mail. In the past month, Stamos said, the company has enabled tougher encryption between Yahoo and other mail servers, such as Google, that support the SMTPTLS standard. All search queries that begin on the Yahoo home page and "most Yahoo properties" use HTTPS as their default.
The company, he said, is working to improve encryption on other properties as well. While it has implemented TLS 1.2, Perfect Forward Secrecy, and a 2048-bit RSA key for the Yahoo homepage, Yahoo Mail, and Yahoo digital magazine sites, the standards have not yet been extended to other Yahoo sites.
Users can manually use encryption on Yahoo News, Yahoo Sports, Yahoo Finance, and Good Morning America for Yahoo by typing an S after the HTTP on those sites.
He also said that mobile apps and sites with third-party installations of Yahoo Search, for example, will much harder to encrypt because they require the app or site owner to upgrade their traffic protocols.
"[N]inety-nine-point-something percent of traffic for Yahoo" will be covered, he said. "It's possible that there will always be old, old devices sending us traffic."
However, ad networks, old devices, old apps, and Yahoo's pantheon of media partners present challenges for implementing encryption, Stamos said.
"There's always a momentum in how users do stuff. Making small changes can have huge knock-on effects for whole companies. We have a limited amount of control over the whole ecosystem," he said. "It's a bigger project than I expected, perhaps."
Stamos, who until February was on the other side of the security coin, testing Web sites for companies that wanted to be sure that their standards were up to snuff, said that his new role as Yahoo's CISO is "pretty great."
"I was a professional software critic," he said. "It's like if [movie critics] Ebert and Roeper decided to direct a movie."
That might not be the best analogy he could've used. Roger Ebert long ago co-wrote Beyond the Valley of the Dolls with Russ Meyer, garnering at best lukewarm applause from critics.