Free e-mail accounts accessed primarily from the Web are a big business.  And Facebook’s recent announcement of Facebook Messages, which interweaves chats, texts and e-mails on the social networking site, it appears that e-mail will see a new juggernaut joining Yahoo, Google and Microsoft.

These three tech giants are so deeply involved in the e-mail market for the traffic it produces. Every time someone checks his e-mail, it registers as a page view for that site; the more e-mail users, the more page views, which in turn means the company can charge for online advertising.

The monthly unique visits from the top three e-mail providers totals about 146.4 million,  according to Web research firm Compete, highlighting its value for a company’s bottom line.

But just like every other Web application, security is paramount for users. The big three email providers, Yahoo (NASDAQ:YHOO), Hotmail (NASDAQ:MSFT), and Gmail (NASDAQ:GOOG), have been working on bulking up their security efforts in hopes of winning more market share in a saturated market space.

So who has the safest e-mail? Here is a rundown of the three largest free e-mail providers and their security.

No e-mail provider achieves five out of five stars because of their lack of private e-mail using encryption for e-mail at rest and public key cryptography for secure message exchange. My personal favorite is Hushmail, which is built for confidential and secure e-mail. Private e-mail can be exchanged with anyone using OpenPGP’s encryption, messages sent between Hush users are automatically encrypted, and all e-mail at rest is encrypted for complete confidentiality. The company also does not have access to your private keys, making it impossible to read your e-mail.

Hotmail – 4.5 out of 5 stars

Microsoft’s Hotmail e-mail service is the largest e-mail provider with 360 million registered users despite a 5% drop over the last 12 months, according to ComScore.

Microsoft just finished a major overhaul of its security efforts and feature offerings for Hotmail. The provider uses Secure Socket Layers (SSL), which makes the URL start with HTTPS and show a secured padlock in the browser to show the connection is encrypted. It just added full-session SSL that users can choose to either use HTTPS automatically or only for login and account update. It also offers two options because the automatic full-session SSL seems to cause problems with Windows Live Mail, Outlook Hotmail Connector, as well as Windows Live for Mobile and Nokia phones.

For password protection and recovery, Microsoft’s Hotmail now leads the way. With its update last July, Hotmail added the ability for users to request a one-time use password for unsecured computers or unencrypted Wi-Fi connections. It also allows users to confirm a phone number and e-mail address for password and account recovery.

Hotmail added a trusted sender icon system with its overhaul in mid-2010. A green shield is displayed next to confirmed email from hundreds of financial institutions and other companies.

Microsoft just announced that it has developed a system to isolate Javascript in e-mail. Before, most providers simply blocked Javascript because it was a common means of attack, but that also meant blocking legitimate Javascript applications like time-sensitive special offers. This move is huge for allowing users to safely experience dynamic content in their e-mails. 

Bottom line: Hotmail may have played catch-up to Gmail in 2010, but they have roared back to take the top spot with innovation. With such a large user base, Hotmail always has a target on its back. But through a massive update in 2010, and continually adding security features, Hotmail has proven their dedication to security.

Gmail – 4 out of 5 stars

ComScore has Google as the third-ranked e-mail provider with 193.3 million users, gaining a 25% market share in the last year.

Google has also been a pioneer in terms of e-mail security. It was the first to offer full-session SSL in mid-2009, and made it standard for all users in January 2010. Google even launched an SSL-encrypted version of their search engine in May 2010.

Gmail, like Yahoo, requires its users to register a mobile phone number and separate e-mail address for account recovery. It also allow users to write their own security questions.

Gmail further increased its security by adding an authentication key in July 2009. Trustworthy e-mail senders go through a rigorous scanning process with Gmail to confirm that the message is really from who it says it’s from. Currently, only PayPal and eBay are super-trustworthy senders, because they are the two largest sites spoofed for phishing attacks.

Bottom line: Gmail has been a pioneer in security features for e-mail and that isn’t going to stop any time soon. It recently added a feature that alerts users if their account has been accessed from a foreign country.

Yahoo! Mail – 3 out of 5 stars

Yahoo Mail is the second largest e-mail provider with 273 million users, according to ComScore’s latest count, despite losing 90 million users (11% drop) last year.

Yahoo has been focusing on integrating social media with their e-mail offering, but they seem to be lagging behind in terms of security. Yahoo uses SSL in a more limited role compared to other providers.

Yahoo users are only secured when they sign in and when they update account information. While this is a good level of protection, it lacks significantly to a full-session SSL, which encrypts users’ information from login to logout.

For password security and recovery, Yahoo requires users to register a mobile phone number and a separate e-mail account. If a user feels that his or her account has been compromised, Yahoo uses this information to get the user a new password that will give them access and control of the account again.  The company also allows users to create their own security identification questions, which helps prevent accounts from being hacked just from Web research, like Sarah Palin’s account was in 2008.

Yahoo does not currently have any special trusted sender icons to confirm senders’ identities. However, it does allow users to set a security seal for their login on specific computers;  when a user logs in from a certain computer, a special seal will be displayed in the top right of the login box, letting the user know that the site is indeed Yahoo. This feature might be a response to a wide-spread brute force attempt throughout 2009 to steal e-mail credentials, as reported by a lead researcher for WASC Distributed Open Proxy Honeypot Project.

Bottom line: Yahoo has average security that will keep users pretty safe. Right now, Yahoo is focused on user retention and keeping them on the Yahoo portal pages to try to generate revenue.

Facebook – 2 out of 5 stars

Facebook has said over and over again that its new Messages tool is not e-mail, but it seems more like a beta e-mail provider than a finished product at this point.

The social networking giant’s entry into the e-mail market would be absolutely huge with its reported 500 million users and estimated 250 million users logging in daily. That means that more people login to Facebook every day than login to all three largest e-mail providers a month.

But Facebook has some issues when it comes to security. It doesn’t offer SSL security except when a user is updating account and contact information. More than likely, Facebook will start implementing security features currently used by other providers. The upside of Messages is that there will probably be an increase of security for the site overall, but since it’s so new, we can’t be sure what the company has planned right now.

Bottom line: Right now the social media site doesn’t have the security in place to maintain an e-mail offering. Until they beef up security and convince users their e-mail will be safe, Messages might have a slow adoption, or a high amount of attacks.


Chris Weber is co-founder and managing partner of Casaba Security