By Alex Stamos, VP of Information Security
The security of our users is a huge focus for us at Yahoo. We’re deploying encryption technologies across our platform, encouraging our partners to ensure that any data running on our network is secure, and improving the security of the overall web ecosystem.
We’re also focused on hiring the best talent to help us achieve our goals. That’s why I’m excited to introduce the two newest members of our security team: Chris Rohlf and Doug DePerry. Both Chris and Doug have incredible experience and are well-respected in the online security community. Chris and Doug will continue to be based out of New York, where they’ll further enhance our top notch security team, provide key trainings as we grow, and help us recruit the brightest minds in the software security space.
Chris and Doug come to us from Leaf Security Research, a security consulting firm known for its deep understanding of software security. The Leaf team has discovered and published critical vulnerabilities in every major web browser and other widely used applications. Chris and Doug have helped design and lead Leaf’s “Advanced C/C++ Source Code Analysis” training course, which educates participants on how to find exploitable vulnerabilities by manually auditing the source of large and complex programs. Chris and Doug have taught this unique course for public and private audiences, including at Black Hat USA 2013.
Chris and Doug will make a comeback to Black Hat USA this year — this time as Yahoos! — to teach their course on August 2nd & 3rd and again on August 4th & 5th. If you’re planning to be at Black Hat USA 2014, come connect with us at Mandalay Bay to learn techniques to find new vulnerabilities, and analyze code for exploitation primitives for target-specific exploitation.
We’re thrilled to welcome Chris and Doug to our team of talented security experts at Yahoo and look forward to seeing you at Black Hat USA 2014 this year!
Interested in learning more about opportunities on our security team? Check out Yahoo Careers.
By Alex Stamos, Chief Information Security Officer
When I joined Yahoo four weeks ago, we were in the middle of a massive project to protect our users and their data through the deployment of encryption technologies as we discussed in our November 2013 Tumblr.
So today, we’re updating you on our progress:
Traffic moving between Yahoo data centers is fully encrypted as of March 31.
In January, we made Yahoo Mail more secure by making browsing over HTTPS the default. In the last month, we enabled encryption of mail between our servers and other mail providers that support the SMTPTLS standard.
The Yahoo Homepage and all search queries that run on the Yahoo Homepage and most Yahoo properties also have HTTPS encryption enabled by default.
We implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many of our global properties such as Homepage, Mail and Digital Magazines. We are currently working to bring all Yahoo sites up to this standard.
Users can initiate an encrypted session for Yahoo News, Yahoo Sports, Yahoo Finance, and Good Morning America on Yahoo (gma.yahoo.com) by typing “https” before the site URL in their web browser.
A new, encrypted, version of Yahoo Messenger will be deployed in coming months.
Hundreds of Yahoos have been working around the clock over the last several months to provide a more secure experience for our users and we want to do even more moving forward. Our goal is to encrypt our entire platform for all users at all time, by default.
One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure. Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem.
In addition to moving all of our properties to encryption by default, we will be implementing additional security measures such as HSTS, Perfect Forward Secrecy and Certificate Transparency over the coming months. This isn’t a project where we’ll ever check a box and be “finished.” Our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy.
By Ron Bell, General Counsel
At Yahoo, our users’ interests enlighten and inform all we do, including how we approach government requests for user information. Today we’re issuing our second transparency report, continuing our effort to provide as much information as we can about government requests for this data.
The transparency report contains:
- Government data requests received by Yahoo! Inc. from July 1 to December 31, 2013, including Foreign Intelligence Surveillance Act (FISA) requests, National Security Letters (NSLs), and criminal data requests (such as search warrants, court orders, and subpoenas issued in criminal investigations).
- More detailed information about the U.S. national security requests we received from January 1 to June 30, 2013, reflecting a new U.S. government policy that lets Internet providers disclose more about these requests. The U.S. government adopted this policy after Yahoo and other Internet companies sued for the right to provide more transparency about the number and kinds of requests we receive.
- Government data requests received in countries in which Yahoo operates a legal entity.
You trust and rely on Yahoo to deliver beautiful, personalized products that make your daily habits inspiring and entertaining. In turn, we work hard to protect your information from unclear, improper, overbroad or unlawful government data requests. See for yourself how we put our users first approach into action.
We will continue to update our transparency report every six months to share further information about the government requests we receive.