It's been a year since Edward Snowden's leak of National Security Agency documents triggered a firestorm around cloud service providers' privacy protections (or lack thereof). Since last summer, the giants of the Internet have pledged to do more to encrypt their Internet traffic—and in some cases, their internal network traffic—to protect it from both government surveillance and other prying eyes. But an Ars investigation reveals that data continues to leak.

Although companies have made great strides in securing their Internet services, implementations of SSL and other security standards aren’t always consistent across applications. And some of the gaps are intentional—left there to meet the demands of certain customers, to support older applications, or to make integration with other services faster (and more profitable).

The Electronic Frontier Foundation (EFF) has published a chart that shows which major Internet services support SSL and other security “best practices,” including encrypted data center links, perfect forward secrecy, and encrypted communications with other providers’ e-mail services. Eight major Internet companies—Google, Microsoft, Yahoo, Twitter, Facebook, Dropbox, Sonic.net, and SpiderOak—have implemented or are in the process of implementing all of EFF’s recommended security practices.

But the chart doesn’t tell the whole story of where things stand today. In conjunction with National Public Radio reporter Steve Henn and Pwnie Express CTO Dave Porcello, Ars recently conducted an experiment to see which parts of our online lives remain vulnerable to digital eavesdropping.

As part of that project, we specifically examined common services from four major Web and mobile service providers—Google, Yahoo, Microsoft, and Facebook—to see what information remains unencrypted. We will look at other service providers in the weeks and months to come.

Google and Yahoo

Google was among the first to offer SSL encryption across all its services, in part pushed by concerns for the privacy of customers overseas. “We were one of the first to offer SSL as an option (starting with Gmail in 2004, then to other services, such as Search in 2010), then as a default (Gmail in 2010), and most recently we've been working to make SSL the default however people use Google Search,” a Google spokesperson told Ars. Google made SSL a default for Gmail in January of 2010 after Gmail users—many of them human rights activists—were attacked by Chinese hackers.

For Web users, nearly all of Google’s services are now behind SSL. However, there are still some legacy exceptions to that encryption and leaks in the implementations of SSL for some Web clients. The 50 million or so users still on Android 4.1.1, for example, run their Google searches through the pre-Chrome browser by default—and those searches and their results are transmitted unencrypted.

Google also provides a “nosslsearch” interface to its search engine, primarily for organizations that want to perform content filtering of search results (such as schools and some employers). To take advantage of it, all that a network administrator needs to do is add a “CNAME” entry into their Domain Name Service server that redirects www.google.com requests to the unencrypted interface.

Yahoo has in many respects gone from last-place to a leader in the SSL department since its services were exposed as an NSA favorite in the Snowden documents. The company is implementing SSL encryption by default for all its services this year.

We tested Yahoo’s services through a variety of Web browsers and applications. A majority of Yahoo’s Web pages now use SSL by default, including: the Yahoo home page, Yahoo Weather, Mail, Messenger, Flickr, Games, Answers, and even the new Tech digital magazine site. However, several sites that use Yahoo login information are not yet encrypted—news.yahoo.com and its Sports and Finance sites, for example, are not encrypted by default (though you can reach them in encrypted form if you specify "HTTPS" in the URL).

Some of the services that have co-branded with or have been acquired by Yahoo are also less secure. Monster, for example, offers job hunting services unencrypted—SSL is not an option. Match.com’s Yahoo-branded page doesn’t encrypt by default, but you can go to its secure site by explicitly typing in "HTTPS."

Lastly, Yahoo has a fleet of mobile services. We found that while the Web version of Weather was secure by default, the iPhone Weather app still calls Yahoo’s weather API in unencrypted form—giving up location data.

Microsoft and Facebook

In December, Microsoft general counsel Brad Smith said in an official Microsoft blog post that the company would “pursue a comprehensive engineering effort to strengthen the encryption of customer data across our networks and services.” Microsoft had already moved to SSL protection for its Outlook.com Web e-mail service, its Office 365 collaboration service, and the OneDrive (formerly SkyDrive) cloud storage service. “Customer content moving between our customers and Microsoft will be encrypted by default,” Smith wrote.

There are a few small exceptions to that blanket statement, however. Bing does not offer encryption by default—though there is a Secure HTTP version of the site, users get an unencrypted version unless they specify HTTPS as part of their URL. And if you make Bing the search engine for the browser search bar in Firefox or Internet Explorer, the search data is sent unencrypted.

The same is true of Microsoft’s Bing API for mobile and web developers. “In terms of the Bing Search API, it does not use SSL as no user data is passed through to Bing, only query parameters,” said Dave Schefcik, a spokesperson for Microsoft’s Trustworthy Computing unit, in an e-mail to Ars. “The host (the developer or webmaster using the API) sets up their own security measures when customers (regular people) make a query. Bing is only getting the query itself, not the user information. Microsoft carefully vets all hosts and uses SSL protocol when they set up their account so they’re sure they have a secure authorization key.”

Microsoft’s Cortana digital assistant, however, does encrypt everything passed back to Bing’s services.

Facebook recently started moving its users toward SSL encryption, removing the option of opting out of secure connections via the Web last year. And the company started implementing encryption as part of its mobile applications in 2011. However, that focus on privacy hasn’t worked its way over to the Instagram service quite yet. While Facebook is working to integrate Instagram into its infrastructure, the only thing that gets encrypted on Instagram is access to user profile settings. Everything else—photos, text, API calls—is in the clear, at least on the Web. We’ll be conducting follow-up testing to look at the mobile client’s security.

Mind the gaps

Even as these services implement stronger security measures, their encryption protection still leaks at the edges—particularly where they integrate with other services.

One of the biggest gaps is encryption between mail services. As Google’s Brandon Long pointed out in a recent blog entry, Google currently encrypts 71 percent of its outbound e-mail messages sent to other mail providers, while 50 percent of e-mail coming into Gmail arrives without encryption protection. This is because many e-mail service providers have lagged in their implementation of Transport Layer Security for encrypting e-mail in transit.

Another source of privacy leaks is the services’ “cookies”—the bits of information that get stored by browsers and retrieved by Web sites. We found a number of cookies related to integration of services that carried identifying data, including one used by Microsoft Bing that included the full name of my Facebook profile and a link to two different sizes of my Facebook profile picture.

Schefcik said that the cookie "boosts performance between Bing and Facebook and is being reviewed. The Facebook information is cached for those who log into Bing with Facebook, in order to reduce latency and improve performance. Since Facebook considers both your name and profile photo to be public, caching these to improve performance for users is a balance between performance and privacy.”

That balance, and the balance that cloud providers have to strike between their customers’ privacy and the demands of advertisers and service partners, will continue to create holes in the protection provided by SSL. The privacy of your Web journeys is only as strong as the weakest link. Continuing implementation issues around SSL, such as the massive Heartbleed crypto bug and the latest round of exploits uncovered in the OpenSSL library, make it hard for smaller website operators to stay secure.

And even when a site uses SSL to provide a secure connection, that doesn’t guarantee that your activities on that site won’t be surveilled. “Man-in-the-middle” attacks that can strip SSL’s protection away have become easier to execute, even for those without the resources of a national intelligence agency.