Security at the Mercy of Advertising


Yahoo’s latest move is yet another example of the tension between end-user security and the online advertising ecosystem.

Last year, Yahoo announced plans to enable encryption by default as a direct response to a story that Barton Gellman and I wrote about the NSA’s collection of millions of address books globally.  One of the slides we referenced in that story indicated that the NSA was collecting substantially more addresses from Yahoo than the other providers (444,743 from Yahoo vs. 105,068 from Hotmail or 33,697 from Gmail). These figures make sense given that, at the time, Yahoo was still not using default encryption for their front-end webmail users, let alone their back end email delivery (something I’ve written about previously).

Today, Yahoo announced they’ve made progress on their encryption plans with the help of former iSec Partner’s cofounder, and information security guru, Alex Stamos.  As Alex’s first post as Yahoo CISO indicates:

  • Traffic moving between Yahoo data centers is fully encrypted as of March 31.
  • In January, we made Yahoo Mail more secure by making browsing over HTTPS the default. In the last month, we enabled encryption of mail between our servers and other mail providers that support the SMTPTLS standard.
  • The Yahoo Homepage and all search queries that run on the Yahoo Homepage and most Yahoo properties also have HTTPS encryption enabled by default.
  • We implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many of our global properties such as Homepage, Mail and Digital Magazines. We are currently working to bring all Yahoo sites up to this standard.

Even though it took them nearly 5 years after Google’s rollout to enable SSL, these are all notable security improvements which Yahoo should be applauded for.

However, Stamos also notes that encryption will not be enabled by default for their ad-focused web properties, even though the technical capability exists for users that know how to seek out the option:

  • Users can initiate an encrypted session for Yahoo News, Yahoo Sports, Yahoo Finance, and Good Morning America on Yahoo ( by typing “https” before the site URL in their web browser.

The reason for this is that, currently, most popular ad networks don’t support the ability to serve advertisements via HTTPS, and as a result, web browsers won’t load the ads or display pesky user alerts like the one above when the website is loaded via HTTPS.  They do this to protect you from eavesdroppers and attackers that can monitor or tamper with the unencrypted parts of your ‘secure session’ with your bank or email provider.

Not surprisingly, most websites that feature ads (i.e. all) default to not using encryption, and most users stick with defaults. This means, at least for now, that government will be able to monitor their browsing activity or piggyback on advertising cookies to target them with malware.

In an interview with the Wall Street Journal about this update, Alex added that Yahoo “eventually will flip that encryption switch, but needs to work with advertisers more first for those sites.”

Given the number of players involved, I wouldn’t be surprised if it’s another 5 years until that happens.


I also discussed this development in Washington Post’s blog “The Switch.” Read the article here: Yahoo’s uphill battle to secure its users’ privacy