Feeds

Well done for flicking always-on crypto switch, Yahoo! Now here's what you SHOULD have done

Webmail provider's HTTPS move too little, too late

Beginner's guide to SSL certificates

Yahoo has followed the lead of Google and Microsoft and enabled HTTPS encryption by default for all Yahoo! Mail users.

HTTPS by default safeguards privacy over an unsecured internet connection such as a public Wi-Fi network in a cafe or an airport. Done properly the technology also safeguards against state-backed snooping directed at webmail services accessed from home or work.

Default webmail encryption is a welcome step towards greater privacy but is undermined by Yahoo!'s failure to follow industry-best practices in rolling out always-on crypto, according to security experts.

Tod Beardsley, engineering manager for Metasploit at Rapid7, said flaws in the implementation leave Yahoo! webmail far more vulnerable to snooping by intelligence agencies such as the NSA and others.

"Yahoo’s announcement that it has enabled HTTPS encryption for all Yahoo Mail users is not only too little too late, but also quite troubling," Beardsley explained. "It appears that Yahoo! is not supporting PFS (Perfect Forward Secrecy). This means that an adversary can record the encrypted session, and if they later get Yahoo's private key, they can still decrypt the session."

"In other words, an attacker can't decrypt the session today because they don’t have the private key. But in the future, 'retrospective decryption' is possible by getting a hold of that private key through an exploit on the webmail provider's servers, a weakness on the cipher itself, webmail operator cooperation, or through the power of a court-issued warrant."

Applying Perfect Forward Secrecy - a technology applied by Google, Facebook, and Twitter is their comparable HTTPS implementations - gets around this problem. With PFS, another encrypted session happens before the HTTPS session starts, using temporary keys that aren’t used for anything else. Beardsley adds: "Even if an attacker got a hold of that temporary key, it's only good for that session and that session only. They'd have to recover a new, unique key for every session they decrypt."

Google, Facebook, and Twitter have all employed ECDHE (Elliptical Curve Diffie-Hellman Exchange), where they can generate a one-time key that makes it very difficult for an attacker to come in later with private keys to decrypt. There's no good reason for Yahoo! not to have followed this approach to building out stronger crypto with its service, according to Beardsley.

"The fact that Yahoo! is ignoring the current wisdom on Perfect Forward Secrecy, which solves the retrospective decryption problem, is worrisome. I can’t think of a legitimate reason to prefer this weaker encryption strategy," Beardsley concludes.

The shortcomings of Yahoo's always-on webmail crypto don't stop at the omission of Perfect Forward Secrecy. For example, some of Yahoo's HTTPS email servers use RC4 as the preferred cipher with most clients. "RC4 is considered weak, which is why we advise that people either don't use it, or if they feel they must, use it as a last resort," said Ivan Ristic, director of application security research at cloud security firm Qualys, which runs the SSL Labs and SSL Pulse projects, ITWorld reports.

Microsoft and Cisco both recently phased out the use of RC4, which is considered unsafe.

Other crucial servers, such as login.yahoo.com, lack mitigations for the CRIME SSL attack, leading Qualys' SSL Labs to downgrade its overall rating to a "B".

Jeff Bonforte, SVP of communication products at Yahoo!, said that the web giant was committed to continuous security improvements in announcing HTTPS was now default in Yahoo! Mail. El Reg's security desk can only hope the web giant takes the well-intentioned criticism of security experts on board quickly in further improving the security of its service.

Bonforte said:

Anytime you use Yahoo! Mail - whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP - it is 100 per cent encrypted by default and protected with 2,048 bit certificates. This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail.

Security is a key focus for us and we’ll continue to enhance our security technology and policies so we can provide a safe and secure experience for our users.

Gmail has offered HTTPS by default since 2010 while Microsoft's Outlook.com webmail service launched with the feature in July 2012, at the time the service was introduced as a replacement to Hotmail. Facebook began rolling out HTTPS by default in November 2012. Yahoo! introduced full-session HTTPS for webmail users in late 2012 but users had to opt in to use a more secure version of the service, which only became the default option this week. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
Heatmiser digital thermostat users: For pity's sake, DON'T SWITCH ON the WI-FI
A stranger turns up YOUR heat with default password 1234
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.