The revamped Yahoo Mail sure is pretty, but from a security perspective the popular service has a pretty ugly security flaw: It doesn’t encrypt your email sessions. But that will soon change. (Finally!) Yahoo plans to roll out default SSL connections to all email accounts beginning January 8, 2014, the company announced Monday.
Unlike Gmail and Outlook.com, Yahoo Mail does not lock down each mail account with SSL encryption. Instead, Yahoo Mail lets users login via SSL and then flips to an unencrypted connection during a regular mail session.
Without an SSL connection, any email you send via Yahoo Mail is wide open to interception over an open Wi-Fi connection at cafes and airports. It also makes Yahoo Mail more vulnerable to data grabs from shadowy figures when your email is in transit across the Internet.
In other words, the decision to make SSL the default connection method for its email service is long overdue.
The flaw exploited by Firesheep
Case in point: The ability to hack non-SSL protected email is relatively easy over a public Wi-Fi connection, a fact that was put in stark contrast in 2010 thanks to a Firefox add-on called Firesheep. The add-on let any attacker on an open network use a type of man-in-the-middle attack called a sidejack.
Basically, Firesheep steals login session IDs from a target PC, allowing the attacker to gain access to your account for the duration of the current login period. During that time, a hacker would be able to read over all your personal data including email messages and contact data.
Firesheep is just one example of how an unsecured online account could be hijacked by an attacker. Needless to say, Yahoo’s decision to roll out SSL is an important move to secure its users’ connections. The SSL rollout comes long after Google switched all Gmail users to SSL by default in 2010 and Outlook made SSL the default option when it rolled out its service in 2012. Facebook also recently rolled out SSL encryption by default in August after offering it as an option since 2011.
DIY SSL
Yahoo quietly began offering the option to opt-in to SSL connections through Yahoo Mail’s settings panel around late 2012 or early 2013, however—though it’s disabled by default.
If you can’t wait for Yahoo to turn on SSL encryption in January, you can activate it yourself by clicking on the settings cog in the upper right corner of your Yahoo Mail inbox. Select “Settings” from the dropdown menu and then select “Security” in the pop-up window that appears.
At the top of the security section make sure the “Use SSL” checkbox is ticked and don’t forget to press “Save.” Once that’s done, your inbox tab will refresh and you should see a lock icon on the left side of the address bar along with the letters “https.” That means your SSL connection is working properly.
If you want to make sure you’re using an SSL connection whenever possible, also check out the Electronic Frontier Foundation’s HTTPS Everywhere browser plugin for Chrome and Firefox.