Feeds

Well done for flicking always-on crypto switch, Yahoo! Now here's what you SHOULD have done

Webmail provider's HTTPS move too little, too late

Seven Steps to Software Security

Yahoo has followed the lead of Google and Microsoft and enabled HTTPS encryption by default for all Yahoo! Mail users.

HTTPS by default safeguards privacy over an unsecured internet connection such as a public Wi-Fi network in a cafe or an airport. Done properly the technology also safeguards against state-backed snooping directed at webmail services accessed from home or work.

Default webmail encryption is a welcome step towards greater privacy but is undermined by Yahoo!'s failure to follow industry-best practices in rolling out always-on crypto, according to security experts.

Tod Beardsley, engineering manager for Metasploit at Rapid7, said flaws in the implementation leave Yahoo! webmail far more vulnerable to snooping by intelligence agencies such as the NSA and others.

"Yahoo’s announcement that it has enabled HTTPS encryption for all Yahoo Mail users is not only too little too late, but also quite troubling," Beardsley explained. "It appears that Yahoo! is not supporting PFS (Perfect Forward Secrecy). This means that an adversary can record the encrypted session, and if they later get Yahoo's private key, they can still decrypt the session."

"In other words, an attacker can't decrypt the session today because they don’t have the private key. But in the future, 'retrospective decryption' is possible by getting a hold of that private key through an exploit on the webmail provider's servers, a weakness on the cipher itself, webmail operator cooperation, or through the power of a court-issued warrant."

Applying Perfect Forward Secrecy - a technology applied by Google, Facebook, and Twitter is their comparable HTTPS implementations - gets around this problem. With PFS, another encrypted session happens before the HTTPS session starts, using temporary keys that aren’t used for anything else. Beardsley adds: "Even if an attacker got a hold of that temporary key, it's only good for that session and that session only. They'd have to recover a new, unique key for every session they decrypt."

Google, Facebook, and Twitter have all employed ECDHE (Elliptical Curve Diffie-Hellman Exchange), where they can generate a one-time key that makes it very difficult for an attacker to come in later with private keys to decrypt. There's no good reason for Yahoo! not to have followed this approach to building out stronger crypto with its service, according to Beardsley.

"The fact that Yahoo! is ignoring the current wisdom on Perfect Forward Secrecy, which solves the retrospective decryption problem, is worrisome. I can’t think of a legitimate reason to prefer this weaker encryption strategy," Beardsley concludes.

The shortcomings of Yahoo's always-on webmail crypto don't stop at the omission of Perfect Forward Secrecy. For example, some of Yahoo's HTTPS email servers use RC4 as the preferred cipher with most clients. "RC4 is considered weak, which is why we advise that people either don't use it, or if they feel they must, use it as a last resort," said Ivan Ristic, director of application security research at cloud security firm Qualys, which runs the SSL Labs and SSL Pulse projects, ITWorld reports.

Microsoft and Cisco both recently phased out the use of RC4, which is considered unsafe.

Other crucial servers, such as login.yahoo.com, lack mitigations for the CRIME SSL attack, leading Qualys' SSL Labs to downgrade its overall rating to a "B".

Jeff Bonforte, SVP of communication products at Yahoo!, said that the web giant was committed to continuous security improvements in announcing HTTPS was now default in Yahoo! Mail. El Reg's security desk can only hope the web giant takes the well-intentioned criticism of security experts on board quickly in further improving the security of its service.

Bonforte said:

Anytime you use Yahoo! Mail - whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP - it is 100 per cent encrypted by default and protected with 2,048 bit certificates. This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail.

Security is a key focus for us and we’ll continue to enhance our security technology and policies so we can provide a safe and secure experience for our users.

Gmail has offered HTTPS by default since 2010 while Microsoft's Outlook.com webmail service launched with the feature in July 2012, at the time the service was introduced as a replacement to Hotmail. Facebook began rolling out HTTPS by default in November 2012. Yahoo! introduced full-session HTTPS for webmail users in late 2012 but users had to opt in to use a more secure version of the service, which only became the default option this week. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.