Solve : Security in Email Login?

1.	Solve : Security in Email Login?
Answer» Hi, Since I'm not too bright when it comes to computer security/privacy, I'd like to know: what is the practical difference between a webmail service that offers a "secure login" only (like Yahoo, Hotmail, etc.) and one that offers a secure connection for the entire webmail session (Lavabit, Fastmail, etc.) ? What, if anything, is vulnerable in the former instance that isn't in the latter ? And how important is it to have one of the latter email services rather than the former ? Thanks for any comments. Look at your URL and browser security status (the lock image on the status bar at bottom) during login and thereafter. In secure mode, your URL will start with https, not http. I have Yahoo! account. Yes, the login is occurs in secure mode, i.e. URL begins with https. But, it reverts back to normal mode, i.e. http, after login. An email service that offers a secure connection for the entire webmail sessionwill remain in secure mode, i.e. https, during the entire session. Thus, it's more secure. Quote from: soybean on July 01, 2008, 08:37:31 AM Look at your URL and browser security status (the lock image on the status bar at bottom) during login and thereafter. In secure mode, your URL will start with https, not http. I have Yahoo! account. Yes, the login is occurs in secure mode, i.e. URL begins with https. But, it reverts back to normal mode, i.e. http, after login. An email service that offers a secure connection for the entire webmail sessionwill remain in secure mode, i.e. https, during the entire session. Thus, it's more secure. Hi, soybean Thanks for the reply. I guess I'm wondering exactly what is more secure when the entire session is https. When I'm securely logged in, but NOT in a secure session (as is the case with Yahoo), what is more vulnerable ? Can hackers get access to my drafts or sent messages or something ? Can they read the mails in my inbox ? And why would a service (like Yahoo) go to the trouble of offering secure login and not have a secure session ? Quote from: rememberwhen on July 01, 2008, 12:57:35 PM I guess I'm wondering exactly what is more secure when the entire session is https. Nothing. I don't BELIEVE I said anything that suggested there's something more secure than the entire session is https. The secure mode (https) is the same mode that all banks and other financial websites use during any session where a user is logged onto an account. It's called SSL (Secure Socket Layer) and it uses encryption to achieve it's security objectives. So, wouldn't you agree Yahoo!'s using of secure mode for the login step, the phase of accessing your account where you enter your password, provides more security than not using secure mode at all (meaning login in would be done via http)? If password entry is secure, that surely reduces that chances of someone gaining unauthorized access to your email account. Granted, the ultimate security is achieved by keeping the entire session in secure mode, but putting the login phase in secure mode still provides a good measure of security.Quote from: soybean on July 01, 2008, 01:38:23 PM Quote from: rememberwhen on July 01, 2008, 12:57:35 PM I guess I'm wondering exactly what is more secure when the entire session is https. Nothing. I don't believe I said anything that suggested there's something more secure than the entire session is https. The secure mode (https) is the same mode that all banks and other financial websites use during any session where a user is logged onto an account. It's called SSL (Secure Socket Layer) and it uses encryption to achieve it's security objectives. So, wouldn't you agree Yahoo!'s using of secure mode for the login step, the phase of accessing your account where you enter your password, provides more security than not using secure mode at all (meaning login in would be done via http)? If password entry is secure, that surely reduces that chances of someone gaining unauthorized access to your email account. Granted, the ultimate security is achieved by keeping the entire session in secure mode, but putting the login phase in secure mode still provides a good measure of security. Hi, soybean ! Thanks again for the informative reply. I'm still a little confused (condition normal ). Chalk it up to my aging GRAY matter. I understand that secure login in better than non-secure login. But you said in your earlier email:Quote An email service that offers a secure connection for the entire webmail session will remain in secure mode, i.e. https, during the entire session. Thus, it's more secure. So, my main point of interest is what is the advantage in going with a provider that has the entire webmail session in a secure mode ? With Yahoo, I get secure login. With Lavabit + Fastmail I get secure login *and* a secure session. But what does a secure session have that merely a secure login doesn't ? IOW, is my Yahoo webmail session more vulnerable to attack because Yahoo only gave me the secure login and not a secure email session ? Are Lavabit and Fastmail better because they offer secure sessions, not just secure login ? Thanks for any clarification. Well, if you're a lawyer or a physician and you're using email to transmit highly confidential information, I'd say use an email service that conducts the entire session in secure mode. But, OTHERWISE, from a practical standpoint, I believe you have nothing to worry about with an email account such as Yahoo! or the popular Google's Gmail, NEITHER of which use secure mode during the entire session. I think you probably should be more concerned about password security. Use a "strong" password and guard its secrecy and you should have no problem with unauthorized access to your email. See http://www.securitystats.com/tools/password.php for some points on password security. I once heard a computer consultant talk about security issues. He said he could often guess peoples' passwords after chatting with them because they had used a password based on the name of a spouse, child, family pet, etc. Changing passwords every so often is also important.Thanks for the additional comments, soybean. Btw, and fwiw, I have heard that one can force Gmail to remain secure through the whole session. I believe one of the ways is through an extension available for FF. I don't use Gmail so I can't confirm it. Thanks again for all the input !

Answer»

Hi,

Since I'm not too bright when it comes to computer security/privacy, I'd like to know: what is the practical difference between a webmail service that offers a "secure login" only (like Yahoo, Hotmail, etc.) and one that offers a secure connection for the entire webmail session (Lavabit, Fastmail, etc.) ? What, if anything, is vulnerable in the former instance that isn't in the latter ? And how important is it to have one of the latter email services rather than the former ?

Thanks for any comments. Look at your URL and browser security status (the lock image on the status bar at bottom) during login and thereafter. In secure mode, your URL will start with https, not http.

I have Yahoo! account. Yes, the login is occurs in secure mode, i.e. URL begins with https. But, it reverts back to normal mode, i.e. http, after login. An email service that offers a secure connection for the entire webmail sessionwill remain in secure mode, i.e. https, during the entire session. Thus, it's more secure.

Quote from: soybean on July 01, 2008, 08:37:31 AM

Look at your URL and browser security status (the lock image on the status bar at bottom) during login and thereafter. In secure mode, your URL will start with https, not http.

I have Yahoo! account. Yes, the login is occurs in secure mode, i.e. URL begins with https. But, it reverts back to normal mode, i.e. http, after login. An email service that offers a secure connection for the entire webmail sessionwill remain in secure mode, i.e. https, during the entire session. Thus, it's more secure.

Hi, soybean

Thanks for the reply.

I guess I'm wondering exactly what is more secure when the entire session is https. When I'm securely logged in, but NOT in a secure session (as is the case with Yahoo), what is more vulnerable ? Can hackers get access to my drafts or sent messages or something ? Can they read the mails in my inbox ? And why would a service (like Yahoo) go to the trouble of offering secure login and not have a secure session ? Quote from: rememberwhen on July 01, 2008, 12:57:35 PM

I guess I'm wondering exactly what is more secure when the entire session is https.

Nothing. I don't BELIEVE I said anything that suggested there's something more secure than the entire session is https.

The secure mode (https) is the same mode that all banks and other financial websites use during any session where a user is logged onto an account. It's called SSL (Secure Socket Layer) and it uses encryption to achieve it's security objectives. So, wouldn't you agree Yahoo!'s using of secure mode for the login step, the phase of accessing your account where you enter your password, provides more security than not using secure mode at all (meaning login in would be done via http)? If password entry is secure, that surely reduces that chances of someone gaining unauthorized access to your email account. Granted, the ultimate security is achieved by keeping the entire session in secure mode, but putting the login phase in secure mode still provides a good measure of security.Quote from: soybean on July 01, 2008, 01:38:23 PM

Quote from: rememberwhen on July 01, 2008, 12:57:35 PM
I guess I'm wondering exactly what is more secure when the entire session is https.
Nothing. I don't believe I said anything that suggested there's something more secure than the entire session is https.

The secure mode (https) is the same mode that all banks and other financial websites use during any session where a user is logged onto an account. It's called SSL (Secure Socket Layer) and it uses encryption to achieve it's security objectives. So, wouldn't you agree Yahoo!'s using of secure mode for the login step, the phase of accessing your account where you enter your password, provides more security than not using secure mode at all (meaning login in would be done via http)? If password entry is secure, that surely reduces that chances of someone gaining unauthorized access to your email account. Granted, the ultimate security is achieved by keeping the entire session in secure mode, but putting the login phase in secure mode still provides a good measure of security.

Hi, soybean !

Thanks again for the informative reply.

I'm still a little confused (condition normal ). Chalk it up to my aging GRAY matter.

I understand that secure login in better than non-secure login. But you said in your earlier email:Quote

An email service that offers a secure connection for the entire webmail session will remain in secure mode, i.e. https, during the entire session. Thus, it's more secure.

So, my main point of interest is what is the advantage in going with a provider that has the entire webmail session in a secure mode ? With Yahoo, I get secure login. With Lavabit + Fastmail I get secure login and a secure session. But what does a secure session have that merely a secure login doesn't ? IOW, is my Yahoo webmail session more vulnerable to attack because Yahoo only gave me the secure login and not a secure email session ? Are Lavabit and Fastmail better because they offer secure sessions, not just secure login ?

Thanks for any clarification.

Well, if you're a lawyer or a physician and you're using email to transmit highly confidential information, I'd say use an email service that conducts the entire session in secure mode. But, OTHERWISE, from a practical standpoint, I believe you have nothing to worry about with an email account such as Yahoo! or the popular Google's Gmail, NEITHER of which use secure mode during the entire session.

I think you probably should be more concerned about password security. Use a "strong" password and guard its secrecy and you should have no problem with unauthorized access to your email. See http://www.securitystats.com/tools/password.php for some points on password security.

I once heard a computer consultant talk about security issues. He said he could often guess peoples' passwords after chatting with them because they had used a password based on the name of a spouse, child, family pet, etc. Changing passwords every so often is also important.Thanks for the additional comments, soybean.

Btw, and fwiw, I have heard that one can force Gmail to remain secure through the whole session. I believe one of the ways is through an extension available for FF. I don't use Gmail so I can't confirm it.

Thanks again for all the input !

Solve : Security in Email Login?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment