Today I noticed something with my Yahoo! email account that somehow escaped my attention all this time. The URL did not start with https but was just plain old http.

I think even those who are not very net/tech savvy would know that https:// implies ” fairly safe” – i.e. safe as in the information you enter in a web-page with it (e.g. your password, credit-card information while purchasing) is less likely to be “eaves-dropped upon”. For a technical explanation as to why this is so you can read this wiki page.

Now, the question that burns in me today is why is https not being used for online email accounts – particularly, when a secure https connection is so prevalent nowadays. I have a Yahoo!, and a gmail account, and from what I can tell, both are not using https based addresses for the web-pages that display my personal emails. Both do use https based address for the login page, which is good, as there is protection for your userid and password.

But why not for the other pages? Perhaps this some sort of a resource limit issue as I can imagine a https based web page could take more resources on the server.

Or I am missing something and it is really https through out? I hope so.

If not, it is unnerving to realize that all the content of my personal emails is being exchanged between the server and my browser unencrypted i.e. “in the clear”. This can include sensitive information. For example, your bank sent your userid and password information when you told them you forgot (although here password is temporary).

Worse, you are one of those who sends yourself a “reminder email” that lists some of the userid, passwords for the various different sites you are registered with – so that you just need to remember you email account userid and password, read this email and voila! All the information is “readily accessible”! Well, the problem is, every time you refer to that particular email, this readily accessible, sensitive information would being exchanged “in the clear”. A “packet sniffer” out there on behalf of an identity thief could potentially sniff it out – I would guess these are the things they generally are sniffing for.

Now, admittedly this could be argued as “poor and careless” use of online email accounts. However, shouldn’t we also ask – why isn’t all our online email access always https based? When we are in the middle (and no longer dawn) of the internet age, when just about everyone has at least one online email account, when online email access is more often used as online purchase, why don’t these online email services make it as safe as online purchases?

I hope I am wrong and they are indeed secure.

Update: Looks like this article deals with the subject and confirms my fears w.r.t Yahoo! mail, but allays my fears for gmail. To quote from the article:

A secure connection to Gmail is available at httpS://gmail.google.com … Yahoo Mail! transmits your login information in the background to an https page, but you can click on the “Secure” link to reach an https page to log into Yahoo! Mail first. Once you’re logged in, sending and receiving your email happens over an insecure connection.”

What’s up with that Yahoo! ?

Advertisements