Feeds

Well done for flicking always-on crypto switch, Yahoo! Now here's what you SHOULD have done

Webmail provider's HTTPS move too little, too late

Protecting users from Firesheep and other Sidejacking attacks with SSL

Yahoo has followed the lead of Google and Microsoft and enabled HTTPS encryption by default for all Yahoo! Mail users.

HTTPS by default safeguards privacy over an unsecured internet connection such as a public Wi-Fi network in a cafe or an airport. Done properly the technology also safeguards against state-backed snooping directed at webmail services accessed from home or work.

Default webmail encryption is a welcome step towards greater privacy but is undermined by Yahoo!'s failure to follow industry-best practices in rolling out always-on crypto, according to security experts.

Tod Beardsley, engineering manager for Metasploit at Rapid7, said flaws in the implementation leave Yahoo! webmail far more vulnerable to snooping by intelligence agencies such as the NSA and others.

"Yahoo’s announcement that it has enabled HTTPS encryption for all Yahoo Mail users is not only too little too late, but also quite troubling," Beardsley explained. "It appears that Yahoo! is not supporting PFS (Perfect Forward Secrecy). This means that an adversary can record the encrypted session, and if they later get Yahoo's private key, they can still decrypt the session."

"In other words, an attacker can't decrypt the session today because they don’t have the private key. But in the future, 'retrospective decryption' is possible by getting a hold of that private key through an exploit on the webmail provider's servers, a weakness on the cipher itself, webmail operator cooperation, or through the power of a court-issued warrant."

Applying Perfect Forward Secrecy - a technology applied by Google, Facebook, and Twitter is their comparable HTTPS implementations - gets around this problem. With PFS, another encrypted session happens before the HTTPS session starts, using temporary keys that aren’t used for anything else. Beardsley adds: "Even if an attacker got a hold of that temporary key, it's only good for that session and that session only. They'd have to recover a new, unique key for every session they decrypt."

Google, Facebook, and Twitter have all employed ECDHE (Elliptical Curve Diffie-Hellman Exchange), where they can generate a one-time key that makes it very difficult for an attacker to come in later with private keys to decrypt. There's no good reason for Yahoo! not to have followed this approach to building out stronger crypto with its service, according to Beardsley.

"The fact that Yahoo! is ignoring the current wisdom on Perfect Forward Secrecy, which solves the retrospective decryption problem, is worrisome. I can’t think of a legitimate reason to prefer this weaker encryption strategy," Beardsley concludes.

The shortcomings of Yahoo's always-on webmail crypto don't stop at the omission of Perfect Forward Secrecy. For example, some of Yahoo's HTTPS email servers use RC4 as the preferred cipher with most clients. "RC4 is considered weak, which is why we advise that people either don't use it, or if they feel they must, use it as a last resort," said Ivan Ristic, director of application security research at cloud security firm Qualys, which runs the SSL Labs and SSL Pulse projects, ITWorld reports.

Microsoft and Cisco both recently phased out the use of RC4, which is considered unsafe.

Other crucial servers, such as login.yahoo.com, lack mitigations for the CRIME SSL attack, leading Qualys' SSL Labs to downgrade its overall rating to a "B".

Jeff Bonforte, SVP of communication products at Yahoo!, said that the web giant was committed to continuous security improvements in announcing HTTPS was now default in Yahoo! Mail. El Reg's security desk can only hope the web giant takes the well-intentioned criticism of security experts on board quickly in further improving the security of its service.

Bonforte said:

Anytime you use Yahoo! Mail - whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP - it is 100 per cent encrypted by default and protected with 2,048 bit certificates. This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail.

Security is a key focus for us and we’ll continue to enhance our security technology and policies so we can provide a safe and secure experience for our users.

Gmail has offered HTTPS by default since 2010 while Microsoft's Outlook.com webmail service launched with the feature in July 2012, at the time the service was introduced as a replacement to Hotmail. Facebook began rolling out HTTPS by default in November 2012. Yahoo! introduced full-session HTTPS for webmail users in late 2012 but users had to opt in to use a more secure version of the service, which only became the default option this week. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.