Why I left Yahoo Mail (and you should too)

Apr 28, 2011

My first email address, registered around 1994, was alsmola@aol.com. The name “alsmola” comes from my awesome drum teacher Randy Carr, who greeted me at each lesson with a “Hey what’s up big Al Smola!”. I liked it and it stuck. I gave out alsmola@aol.com pretty indiscriminately, and sure enough, the mailbox filled up with spam.

Around 1998, I registered alsmola@yahoo.com. Somehow, I didn’t learn my lesson and gave the Yahoo address out to every service that requires an email address to sign up. Even though Yahoo Mail had better spam filtering, there was still a ton of bacn. When I registered a Gmail address around 2005, I decided to give that address to real people, while Yahoo remained my go-to address for site registration, mailing lists, and other untrustworthy channels. I’ve been cruising along like that for a while, give or take some educational and professional email addresses. Anyone that wasn’t a real person got the Yahoo address.

Around 2008, I started to understand the risks of session hijacking, and I was surprised to learn that Yahoo web mail didn’t offer an option to browse mail securely via HTTPS. To this day, if you browse to https://mail.yahoo.com, you’ll get redirected to a plaintext connection.

Let’s reiterate – Yahoo Mail doesn’t support secure connections. That means anyone browsing their Yahoo Mail on a public network can have their email read by anyone else on the network. A tool like Firesheep makes taking over a Yahoo Mail session dead simple. Yikes.

That’s not the scariest part. Most password resets rely on email as a trusted side-channel. If someone could read my Yahoo mail, they could see what sites I use, ask for a password reset, visit the link in the email, and totally compromise my accounts. Maybe they’d need to answer a secret question, and of course I add a little security flavor to my answers for defense in depth, but I’m a security professional. For most people, visiting their Yahoo Mail account on a public network is like leaving the car doors unlocked and the keys in the ignition. It’s just a huge risk.

Sure, I could run a VPN every time I hop on my school network. I could set up a simple SSH proxy. But I can’t get over the feeling that Yahoo Mail is being incredibly irresponsible by not even making HTTPS available, let alone requiring it. That’s why I’ve gone through every one of the accounts I care about and changed the email address. Alsmola at yahoo.com, meet alsmola at aol.com in the email hereafter. Good riddance.