Apr 24 2009   7:05PM GMT

The Risks of Using Gmail, Hotmail and Yahoo

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

We all do it; we connect to the web and grab our mail all the time. But those web pages are vectors for cross site scripting (CSS) and a new nasty – CSRF (pronounced SeeSurf), cross-site request forgery, affects many webmail providers, most notably Gmail.

Gmail even knows about a flaw it hasn’t bothered to patch, according to several researchers. It’s tricky, but an attacker can use it to change your password in the right technical situation.

Not to mention the fact that if you’re checking your mail at an unencrypted WiFi hotspot (you don’t do that, do you?) your password can be captured by the teenager sitting at the window sipping his latte while he runs a packet sniffer.

When I’m asked for advice about this from users that are generally unacquainted with the acronyms above, I have two recommendations:

First, if you’re at a free WiFi hotspot, don’t go anywhere you have to log in. That’s the simplest advice. But if you’re on business, or do want to check Gmail, Yahoo, etc., there is something you can do: Log in using https. This forcibly encrypts your traffic when you log in.

Keep in mind that some services let you log in using https, but then bounce you to an unencrypted page for the rest of the activity. Yahoo and Hotmail do exactly that. So if you’re sending an email with private information, it will go across the net in open format.

Gmail has a setting (somewhat well-hidden) that can require you to connect and stay in https. If you are in Gmail, select settings at the right top corner. Scroll all the way to the bottom of the page, to the category “browser connection.” Select “always use https,” and you can read your email safe from prying eyes. I haven’t found anything like this in Yahoo and Hotmail. Good enough reason to switch!

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: