Sometimes it is the obvious we overlook.
Recently a user came along and asked whether his credit card info and personal stock trading details could leak out while reading them via Yahoo or Hotmail email on a wireless LAN as available at airport lounges and coffee shops. I said I doubt it so I checked. I know from Gmail that there is an https option that persists not only at login but when reading every single page of email.
I then checked both Yahoo and Hotmail and found that even though one logs in via https, all subsequent screens come up as http. Now if someone has bought something via an online site and received some confirmation email with account details, or emails his/her stock broker with buy and sell orders or for that matter any other email with personal details, on a wLAN, that info can be easily read.
I checked some Yahoo Answer forums
and found questions from users on exactly this point:
Yahoo Mail Security?
I did not find any Microsoft forum that addressed this issue.
I later found that this has been discussed previously by others. Lifehacker in Secure Web-based email recap stated in Feb 2005 that, "Once you're logged in, sending and receiving your email happens over an insecure connection."
And in Feb 2006, columnist Scott Granneman stated the following in Securityfocus - Coffee shop WiFi for dummies, "Most every web mail out there provides a secure (https) page for logging in to check your email, but that's it. Your password will be safe, but none of your emails. Reading and writing emails is done using plain ol' http, which means that everything is sent in the clear. Not good."
Needless to say, this attack vector can be used by identity thieves.
Yahoo and Hotmail were notified of this problem on Jan 13, 2007. As of Feb 12, 2007 no official response has been received.
Bottom line: if you are worried about identity theft don't use Hotmail or Yahoo via any wireless acess point.
Hotmail's response:
Yahoo's response: