# Yahoo Mail & (lack of) HTTPS



## silentdrum (Dec 24, 2004)

Has anyone heard if Yahoo plans on finally implementing all the time HTTPS for their mail? It's hard to believe that they've not done it yet--even twitter has done it; hotmail, of course Gmail.

If I knew they were planning it I'd stick around. Otherwise I want to move on. Anyone have inside dope? 

Thank you.


----------



## koala (Mar 27, 2005)

Yahoo mail only uses https when you're logging in, then it reverts to standard http for the rest of the email sesssion. No plans at the moment or in the near future for the more secure https.


----------



## silentdrum (Dec 24, 2004)

Yes, I know, but how can they ignore the call for them to do this when every other major email provider has done this, i.e. full time HTTPS? Don't they care about what their customers want? Even Schumer wrote them a letter about this.


----------



## asmDash (Apr 19, 2011)

Personally I don't believe using it or not will make a difference. HTTPS isn't as "secure" as it used to be when it was first introduced.


----------



## silentdrum (Dec 24, 2004)

asmDash said:


> Personally I don't believe using it or not will make a difference. HTTPS isn't as "secure" as it used to be when it was first introduced.


Wouldn't it at least protect one in an open wifi situation from such programs as firesheep?


----------



## asmDash (Apr 19, 2011)

Try just wireshark, watch everything thats being sent to and from on the network. even though the site is using HTTPS and thats the protocol, it can still be sent across in plain text and still picked up. it may prevent from session hijacking with firesheep though. i think someone actually getting the password is a bigger vulnerability and problem. however it does require you to run into a person with higher skills if they are going to go that way. but ppl with less skill would probly just stick with firesheep and yes on sites that constantly use https they would be protected from that.


----------



## silentdrum (Dec 24, 2004)

I hear you, you're saying that the HTTPS protocol is certainly not invulnerable; still it would go a long way to reassuring people if Yahoo at least made the gesture. I know it costs more but Yahoo is rolling in it. What's the obtuseness about? Why don't they at least come up with some other way to encrypt or protect in those situation?


----------



## asmDash (Apr 19, 2011)

silentdrum said:


> I hear you, you're saying that the HTTPS protocol is certainly not invulnerable; still it would go a long way to reassuring people if Yahoo at least made the gesture. I know it costs more but Yahoo is rolling in it. What's the obtuseness about? Why don't they at least come up with some other way to encrypt or protect in those situation?


Possibly because Yahoo might not care that much. I noticed yahoo mail is getting less popular among common users and more popular with bots. There are many down-sides to using yahoo as compared to other mails. One large one is the fact anyone can disable any yahoo email with just the email itself and their own email.


----------



## mdrocker (Oct 25, 2011)

I signed up for yahoo mail plus, and now, if i enter the "s" after http, my entire session appears to be secure. not sure if this is the way yahoo planned it. but it works. appreciate feedback from security experts on whether or not this is actually secure. i assume i'm not on some criminal's separate https: site that is perfectly mimicking my real yahoo mail account.


----------

