Future Tense

There Might Be a Way to Securely Reuse Abandoned Email Addresses

If you haven’t used your Yahoo email address since the site looked like this, it’s probably been given away.

Screencap from nedhardy.com

In June 2013 Yahoo decided to start freeing up inactive email addresses. The idea was to give addresses that hadn’t been used in more than a year a fresh start, so if bob@yahoo.com wasn’t active, then some other Bob who would appreciate it more could snap it up. The Bobs of the world rejoiced.

But the program had some potential security problems. As Mat Honan pointed out in Wired at the time, “It means that people will be able to claim Yahoo IDs and use them to take over other people’s identities via password resets and other methods.” Facebook was concerned about the security implications as well, so it partnered with Yahoo to try to find a solution.

On Thursday the two companies announced a new proposed standard called Require-Recipient-Valid-Since (RRVS) that would use simple email timestamps to make sure that the email address that requested a reset didn’t suddenly have a new owner. Using the email protocol Simple Mail Transfer Protocol (SMTP), Facebook—and other sites that adopt RRVS—can put a timestamp in password recovery emails indicating when they last confirmed the ownership of a Yahoo email address. If a password reset request gets sent to an address after it has changed hands, Yahoo servers can recognize that there’s been a transition of ownership that Facebook’s servers aren’t aware of and keep the message from being delivered.

Facebook software engineer Murray Kucherawy wrote in a blog post:

Last year Yahoo announced that it was going to begin making long-dormant logins available for new registrations. This was a shift we knew we wanted to study closely to make sure we understood the impact to Facebook. … [Our] new method for handling recycled email addresses is a new standard and it provides a way for senders to indicate to receivers a point in time when the ownership of the target mailbox was known to the sender.

Facebook and Yahoo are making RRVS available through the Internet Engineering Task Force as a proposed standard so other sites can start adopting it. This is crucial because recycled email addresses will still be a security concern until every Internet service is using RRVS. That may never happen, but the more big companies implement it, the more secure bob@yahoo.com will be.