Access, Civil Society sign open letter to Yahoo! CEO urging implementation of HTTPS
1:49pm | 15 November 2012 | by Jeff Landale, English
November 13, Access along with nearly 30 members of international civil society delivered a letter to Marissa Mayer, CEO of Yahoo!, urging her to immediately implement HTTPS by default on its popular webmail service. With hundreds of millions of active users, Yahoo Mail is one of the three most popular globally, along with Google's Gmail and Microsoft's Hotmail. However, unlike its competitors, Yahoo! for years has not implemented basic security measures to protect its users privacy. This is particularly important for activists using Yahoo!'s services while struggling under oppressive regimes.
HTTPS is a standard means of encrypting web traffic and authenticating websites. Web servers that are HTTPS capable contain certificates that allow web browsers to authenticate the server's identity. When your web browser communicates with a website's server that has enabled HTTPS, the first thing it does is verify the server's identity using that certificate. If the web server is real and therefore able to provide an authentic certificate - and is not a copy created to facilitate a man-in-the-middle attack - your web browser and the web server can encrypt the communication. When your web browser and a website's server are communicating using encryption, following the HTTPS protocol, it is very difficult for an outside party to unscramble the information that is passing over the internet.
Find the letter here and below:
November 13, 2012
Dear Ms. Mayer:
As privacy, security, and human rights advocates and organizations from around the world, we are writing to you to express our deep concern with Yahoo!'s continued delay in supporting encrypted connections to its vital communications services. As individuals who engage with at-risk communities targeted for surveillance and censorship, we see on a daily basis how this negligence endangers human rights activists who fight in some of the most repressive environments to protect the basic freedoms that we take for granted. Five years ago, in response to serious concerns about Yahoo!'s human rights record, Yahoo! founder and then-CEO Jerry Yang promised to the US Congress:
"Yahoo! is a company committed to doing the right thing and to protecting human rights globally. We are a company founded on openness, the exchange of information and user trust, and we believe deeply in free expression and privacy. "
We want to see Yahoo! live up to those commitments in the implementation of its services, and we regard the use of transport encryption as a fundamental security requirement for e-mail. Yahoo's principal direct competitors in the web-based e-mail market, Microsoft and Google, have implemented HTTPS by default to protect their users against hacking and spying. This leaves Yahoo! Mail as the only major web-based e-mail service that continues to rely on insecure connections.
Over the last several years, Yahoo! has repeatedly been urged by security experts to adopt HTTPS, but has taken no visible steps to do so. Unfortunately, this delay puts your users at risk, which is particularly disturbing since Yahoo! Mail is widely used in many of the world's most politically repressive states. There have been frequent reports of political activists and government critics being shown copies of their email messages as evidence during interrogation sessions, underscoring the importance of providing basic measures to protect the privacy of e-mail. Where online communications platforms are essential channels for the the free flow of information and outlets for expression, offering HTTPS by default is a critical step that Yahoo! must take to blunt some of the effects of mass surveillance and censorship.
A 2009 open letter to Google signed by 37 prominent computer security and privacy experts, urging the use of HTTPS security on services that process personal information, emphasized that HTTPS is “industry standard” security for protecting personal information on web services; these experts added that research shows “most users have no idea of the data interception risks that they face when using public wireless networks [...] few users notice the presence or absence of HTTPS encryption and [users] fail to take appropriate precautions when HTTPS is not used.” All the e-mail and social network providers criticized in this letter have since made HTTPS available or mandatory on their sites—except Yahoo!.
Some of us have already been compelled to recommend that users avoid Yahoo! Mail because of its continued lack of essential security protections. For example, a recent video by the prominent security training organization Tactical Technology Collective, with the title “Hey Yahoo! HTTPS my Emails!”, warns the public to select only web mail services that can be accessed via HTTPS. In an age of pervasive, inexpensive surveillance, we believe this is reasonable and appropriate advice.
We urge you to act as quickly as possible to act on this commitment to user trust and security by taking the long overdue step of deploying HTTPS for all Yahoo! communications services.
Renata Avila, Human rights lawyer, Guatemala
Gustaf Björksten, Access
Chris Conley, American Civil Liberties Union of California
Cyber Arabs, IWPR
Ot van Daalen, Bits of Freedom
Adam Fisk Brave, New Software Project
Front Line Defenders
Global Voices Advocacy
Allen Gunn, Aspiration
Gus Hosein, Privacy International
International Campaign for Human Rights in Iran
Mallory Knodel, May First/People Link
Stefan Marsiske, Hungarian Autonomous Center for Knowledge
Smári McCarthy, International Modern Media Institute
Niels ten Oever, Internet Protection Lab
padeluun, Privacy activist; invited expert member of German Parliamentary Internet commission
Reporter Ohne Grenzen (Germany)
Reporters Without Borders (United States)
Eleanor Saitta, OpenITP
Seth Schoen, Electronic Frontier Foundation
Tactical Technology Collective
Tibet Action Institute
Rena Tangens, FoeBuD e.V. / BigBrotherAwards Germany
United for Iran
Leon Willems, Free Press Unlimited