The Yahoo and ICQ instant messaging services were the two remaining popular instant messaging services working without any form of encryption. HTTPS for Yahoo was only established in January. Further encryption efforts are coming as the company’s intention is to put encryption on all of their products and services.
What Has Yahoo Done to Further Encryption Since January?
The most notable story comes from Yahoo encrypting their data centers only a week ago.
This was a major accomplishment as it helps to block out the NSA from sniffing into their data centers. It also meant encryption for many of their popular services including Yahoo Mail, Homepage, and Digital Magazines. After commenting on this feat, they also claimed to be in the process of making sure that all of their websites meet the same security standards.
Yahoo’s Plan to Encrypt Yahoo Messenger
Currently, the Yahoo Messenger Protocol transmits data through the protocol’s connection without any form of encryption. This means that everything is sent in plain text form. Although it is not easy to gain access to someone else’s instant messaging account, doing so will mean that they can very easily read all sent and received messages, the user’s friends, and various other pieces of data. This can be accomplished by an attacker gaining control of a machine which the data is transferred through.
As encryption has become standard on the Internet, Yahoo has been pressured to better protect their user’s data. So Yahoo Messenger has made it onto the list of products that are to be updated with proper data encryption practices. While it helps with preventing attackers from accessing their data, the primary focus is still to prevent intelligence agencies from spying on their users.
How Will Yahoo Encrypt Their Instant Messaging Service?
The initial focus is around making it so that users can access their services by typing https:// instead of http:// so they land at an encrypted page. A further focus is on ensuring that webcam chat is encrypted. This security update is expected to roll out in the coming months.
Further security implementations will be made, such as HTTP Strict Transport Security, Certificate Transparency, and Perfect Forward Secrecy. These are all expected to show up in the upcoming months as well.
Yahoo also does not plan on just throwing in a few functional security measures and leaving it at that. It has become clear that the extensive efforts required to fully upgrade their security measurements could have been prevented if they kept up with the latest security practices. Their intent is to keep track of things and making regular changes to ensure that all their services include the highest level of protection that they can provide.
Yahoo is Not the Only One Adding Encryption
Other major Internet companies have been implementing new encryption practices this year. Earlier in the year, Gmail and Google search data encryption began. This was done in an attempt to curb intelligence agencies from accessing their user’s data – much similar to the purpose behind Yahoo implementing encryption to their products and services.
The concerns over keeping user data unencrypted came to light after the Snowden incident. This raised awareness on just how much data that intelligence agencies are able to obtain from these large companies. For business etiquette purposes and to distance themselves from the poorly viewed practices of the NSA, these companies and many more moved towards encrypting their user’s data.
Yahoo Facing Bigger Encryption Problems
Yahoo is turning into a bit of a mess when it comes to following the right Web security protocols and now encryption for their instant messaging services is now seeming to be the least of their concerns.
The Heartbleed bug is a vulnerability in OpenSSL affecting nearly all versions over the past two years. The bug essentially allows an attacker to trick the OpenSSL operating system to broadcast major pieces from the system memory. This is incredibly scary considering the amount of sensitive data that can sit within the system memory – user names, passwords, email addresses, credit card information, and much more.
Basically, the Heartbleed bug makes it possible for an attacker to provide its secret keys and then the attacker will be broadcasted with any intercepted data. The worst of it, it’s broadcasted to them directly in unencrypted form. With the keys, they are able to spoof what would otherwise be a protected and safe server or website and intercept data from the users.
This may turn out to be one of the biggest victimizing stories that will surface as a result of the Heartbleed bug. Just imagine the sheer number of affected users due to the attackers taking advantage of this bug to obtain Yahoo user data.
With that in mind, you may be waiting a little longer for the appropriate encryption methods to be implemented by Yahoo. Hopefully once they roll out full force, no other issues such as this one – which was uncontrolled and unexpected, affecting upwards of 70 percent of all websites – do not knock them back down again.