Internet giant Yahoo has reportedly started automatic encryption of emails in a bid to thwart government surveillance as revealed in the controversial National Security Agency (NSA) leaks.
Yahoo Mail had support for full-session HTTPS-SSL/TLS encryption over HTTP-since late 2012, but users had to opt in to use the feature. The company has now announced enabling auto-encryption by default for all users, a security measure already in place at Google since four years, PC World reports.
Senior vice-president of communication products at Yahoo, Jeff Bonforte said anytime one uses Yahoo Mail - through web, apps or via IMAP, POP or SMTP - the content is 100 per cent encrypted by default and protected with 2,048 bit certificates.
Bonforte explained that the encryption extends to emails, attachments, contacts, as well as Calendar and Messenger in Mail.
However, director of application security research at security firm Qualys, Ivan Ristic has pointed out that Yahoo's HTTPS implementation appears to be inconsistent across servers and even technically insecure in some cases.
According to the report, it was also found that none of the servers checked by Ristic support forward secrecy, a feature that makes decryption of previously captured SSL traffic impossible even if the server's private key is compromised in the future.
Contrarily, rival Google's SSL configuration for Gmail supports forward secrecy since 2011 and Facebook and Twitter have also implemented it.
Ristic opined that Yahoo needs time to get their servers in order when it comes to encryption, but they need to be more transparent about what they're planning and doing, the report added.