Full-Session SSL ?

foggy

Valued Member
Hi,

I'm new here and the welcome message said for a new user to post a new question in this forum (if I wasn't sure where else to go with it), so here it is.... :)

I have a question about full-session SSL/https for webmail users. I don't know much about it all, but from what I understand it's a rather basic layer of protection that just about all email providers (FastMail, Hushmail, Lavabit, EuMX, GMX, Gmail, etc.) offer their users with the except of two of the most popular: Yahoo and Hotmail. Yahoo's supposed to be coming out with a new webmail (in the next week or so) which may or may not have added this feature. Hotmail, OTOH, has been promising it and may implement it in the next few months.

Well, with all the worries out there about hacking -- and with Yahoo and Hotmail being the most hacked services, I believe -- I'm just curious why so many people use those services' non-secure webmail. I know many may have had their accounts with those providers for a long time, but there are other free (and low-cost) providers with better security, no ?

Maybe I can reduce this to two related questions:

1. Just how concerned should someone be if he/she uses the non-secure webmail interfaces of Yahoo and Hotmail (i.e. how much protection is lacking by not having full-session SSL) ?

2. If there is a security concern in not having full-session SSL/https, why do so many people not find another, better provider that does have it (even Gmail) ?

Thanks for any comments ! :)
 

EQ Admin

EQ Forum Admin
Staff member
Hi foggy.

Nice questions! :)

Yahoo and Hotmail do use https for pages with sensitive information such as their login pages and when editing account details. Those are the most important parts of the web transactions to have encrypted. Other than that it starts to come down to how sensitive is the content of your email and how much do you care if someone else is able to read parts of it?

Keep in mind Yahoo and Hotmail free accounts target home users and not business clients that might have more security needs such as HIPAA compliance for their business email hosting.

The biggest concern of not having https all the time as I said above that there is more potential for someone else to be able to intercept and read your emails. A common situation would be at a company where the security group monitors and logs all incoming and outgoing traffic from your workstation. Some companies go as far as taking random/intermittent screen shots of your desktop. No level of https can protect you from that.

As for the hacking I don't believe that is http vs https related. The frequent hacking of Hotmail and Yahoo accounts seems to be a result of phishing attacks. This is purely an opinion but it seems more technical/savvy email users tend to use Gmail while mom and grandma are still using their old Yahoo and Hotmail accounts. The hotmail/yahoo free webmail users seem more likely to get tricked into replying to an email to filling out a web page form designed to steal their login information.

A big reason for not changing an email account is that you need to change your email address. Hotmail has free pop3 access now which makes it possible to import hotmail to Gmail. Yahoo still does not provide free pop3 access so those users have more to deal with if they want to leave Yahoo for a different free webmail provider.

:welcome: to Email Questions!
 
Last edited:

foggy

Valued Member
Hi,

Thanks for the reply !

So, to see if I have this right... you're saying that a webmail session that is not entirely encrypted (i.e. is https for the login only) can be seen by someone who intercepts information being transmitted between the browser and the webmail interface, but it cannot be hijacked in any way. IOW, someone could see what I'm doing (what I'm reading & writing) but can't actually do anything at the interface itself. That requires actually hacking into it. Is that right ?

Re: hacking of Yahoo and Hotmail: I can't believe the number of "how to hack into...." results I see in Yahoo or YouTube whenever I do a search for "yahoo mail" or "hotmail" ! Seems like everyone and his brother are learning how to use software of some sort to break into people's accounts without their unfortunate cooperation (phishing). I've even read (usually in the 'comments' of some email related web article) where very computer literate people -- with strong passwords and safe online practices -- find their Gmail, Yahoo or Hotmail accounts commandeered ! All that plus the above-mentioned lack of session-long SSL makes me wary of using Yahoo/Hotmail even for storage.

Anyway, thanks again for the response and for the welcome ! :D
 

EQ Admin

EQ Forum Admin
Staff member
Sure, there are ways to fake at least the login pages to phish members user names and passwords. For example you could overwrite their hosts file and get them to land at a page that looks like Hotmail or Yahoo. Again, those members should be expecting those particular pages to be https so at least part of this group of hacked members should notice something is wrong. Anyone with access to modify your DNS would also be able to redirect or proxy your traffic and monitor the http bits.

I'm aware of a few pages for those sites. I've seen programs that can be used to lock you out by automatically sending bad username and password combinations to those sites and effectively locking you out of your account. I'm not aware of a program that can be used to actually brute force break into someones account. If you do happen to find one that works I'd be interested in seeing it. PM me the link don't post it publicly, we're not a hack site.
:thanks:
 

foggy

Valued Member
FWIW, I just found this article, which may give one pause about using non-secure webmail. At least as I understand it, the guy's FF extension is intended to show how vulnerable one can be without session-long SSL for mail and many other things. (As noted above, I really don't know much about the technology behind it all.)
 

EQ Admin

EQ Forum Admin
Staff member
Interesting tool. Network and Wi-Fi packet sniffers have been around forever. A point and click tool to login to these sites as other people only makes the problem worse. I disagree with some of the more technical comments after that article saying SSL requires far more resources to implement. It's not 1999 anymore. With todays technology making web sites 100% SSL https:// enabled isn't that big of a deal. There are a few appliance solutions including F5 Big-IP that allow you to offload the SSL work from servers to boxes dedicated to processing SSL. They scales up easily enough through large web sites. For massive web sites such as Hotmail and Yahoo Mail it's likely more of an issue but if Google and others can do it then Microsoft should be able to do it for Hotmail too.
 

EQ Admin

EQ Forum Admin
Staff member
It's definitely an eye opener though if that plugin works (I'll try it later on a test network) and just how easy it's become to get into others email accounts. I've had a lot of experience dealing with users who knew they got phished after explaining what that means. I avoid wireless networks. When I do need to be on one I VPN back to home so I know my personal info is more secure. It's makes more sense now why Coffee Shop Joe may have been hacked when they are sure they did not get phished and their spyware scans come up clean. It's a great extra question to ask "Do you connect to wireless computer networks?"

:thanks:
 
Top