Feeds

Well done for flicking always-on crypto switch, Yahoo! Now here's what you SHOULD have done

Webmail provider's HTTPS move too little, too late

Top 5 reasons to deploy VMware with Tegile

Yahoo has followed the lead of Google and Microsoft and enabled HTTPS encryption by default for all Yahoo! Mail users.

HTTPS by default safeguards privacy over an unsecured internet connection such as a public Wi-Fi network in a cafe or an airport. Done properly the technology also safeguards against state-backed snooping directed at webmail services accessed from home or work.

Default webmail encryption is a welcome step towards greater privacy but is undermined by Yahoo!'s failure to follow industry-best practices in rolling out always-on crypto, according to security experts.

Tod Beardsley, engineering manager for Metasploit at Rapid7, said flaws in the implementation leave Yahoo! webmail far more vulnerable to snooping by intelligence agencies such as the NSA and others.

"Yahoo’s announcement that it has enabled HTTPS encryption for all Yahoo Mail users is not only too little too late, but also quite troubling," Beardsley explained. "It appears that Yahoo! is not supporting PFS (Perfect Forward Secrecy). This means that an adversary can record the encrypted session, and if they later get Yahoo's private key, they can still decrypt the session."

"In other words, an attacker can't decrypt the session today because they don’t have the private key. But in the future, 'retrospective decryption' is possible by getting a hold of that private key through an exploit on the webmail provider's servers, a weakness on the cipher itself, webmail operator cooperation, or through the power of a court-issued warrant."

Applying Perfect Forward Secrecy - a technology applied by Google, Facebook, and Twitter is their comparable HTTPS implementations - gets around this problem. With PFS, another encrypted session happens before the HTTPS session starts, using temporary keys that aren’t used for anything else. Beardsley adds: "Even if an attacker got a hold of that temporary key, it's only good for that session and that session only. They'd have to recover a new, unique key for every session they decrypt."

Google, Facebook, and Twitter have all employed ECDHE (Elliptical Curve Diffie-Hellman Exchange), where they can generate a one-time key that makes it very difficult for an attacker to come in later with private keys to decrypt. There's no good reason for Yahoo! not to have followed this approach to building out stronger crypto with its service, according to Beardsley.

"The fact that Yahoo! is ignoring the current wisdom on Perfect Forward Secrecy, which solves the retrospective decryption problem, is worrisome. I can’t think of a legitimate reason to prefer this weaker encryption strategy," Beardsley concludes.

The shortcomings of Yahoo's always-on webmail crypto don't stop at the omission of Perfect Forward Secrecy. For example, some of Yahoo's HTTPS email servers use RC4 as the preferred cipher with most clients. "RC4 is considered weak, which is why we advise that people either don't use it, or if they feel they must, use it as a last resort," said Ivan Ristic, director of application security research at cloud security firm Qualys, which runs the SSL Labs and SSL Pulse projects, ITWorld reports.

Microsoft and Cisco both recently phased out the use of RC4, which is considered unsafe.

Other crucial servers, such as login.yahoo.com, lack mitigations for the CRIME SSL attack, leading Qualys' SSL Labs to downgrade its overall rating to a "B".

Jeff Bonforte, SVP of communication products at Yahoo!, said that the web giant was committed to continuous security improvements in announcing HTTPS was now default in Yahoo! Mail. El Reg's security desk can only hope the web giant takes the well-intentioned criticism of security experts on board quickly in further improving the security of its service.

Bonforte said:

Anytime you use Yahoo! Mail - whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP - it is 100 per cent encrypted by default and protected with 2,048 bit certificates. This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail.

Security is a key focus for us and we’ll continue to enhance our security technology and policies so we can provide a safe and secure experience for our users.

Gmail has offered HTTPS by default since 2010 while Microsoft's Outlook.com webmail service launched with the feature in July 2012, at the time the service was introduced as a replacement to Hotmail. Facebook began rolling out HTTPS by default in November 2012. Yahoo! introduced full-session HTTPS for webmail users in late 2012 but users had to opt in to use a more secure version of the service, which only became the default option this week. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.