We all do it; we connect to the web and grab our mail all the time. But those web pages are vectors for cross site scripting (CSS) and a new nasty – CSRF (pronounced SeeSurf), cross-site request forgery, affects many webmail providers, most notably Gmail.
Gmail even knows about a flaw it hasn’t bothered to patch, according to several researchers. It’s tricky, but an attacker can use it to change your password in the right technical situation.
Not to mention the fact that if you’re checking your mail at an unencrypted WiFi hotspot (you don’t do that, do you?) your password can be captured by the teenager sitting at the window sipping his latte while he runs a packet sniffer.
When I’m asked for advice about this from users that are generally unacquainted with the acronyms above, I have two recommendations:
First, if you’re at a free WiFi hotspot, don’t go anywhere you have to log in. That’s the simplest advice. But if you’re on business, or do want to check Gmail, Yahoo, etc., there is something you can do: Log in using https. This forcibly encrypts your traffic when you log in.
Keep in mind that some services let you log in using https, but then bounce you to an unencrypted page for the rest of the activity. Yahoo and Hotmail do exactly that. So if you’re sending an email with private information, it will go across the net in open format.
Gmail has a setting (somewhat well-hidden) that can require you to connect and stay in https. If you are in Gmail, select settings at the right top corner. Scroll all the way to the bottom of the page, to the category “browser connection.” Select “always use https,” and you can read your email safe from prying eyes. I haven’t found anything like this in Yahoo and Hotmail. Good enough reason to switch!