Yes, Yahoo has finally turned on HTTPS encryption
for its Mail users, but it doesn't look as if the company put in any
effort towards doing it in a meaningfully secure manner.All Yahoo Mail communications—whether on the Web, mobile Web, mobile apps, or even via IMAP, POP and SMTP—are now encrypted by default using 2,048-bit certificates, Jeff Bonforte, Yahoo's senior vice-president of communication products, wrote on Yahoo Mail's Tumblr this week. This move will protect all the contents of emails, attachments, contacts, Calendar information, and even Messenger data, as they move between the user's browser and Yahoo's servers. Security experts warned that it wasn't enough.
"Yahoo's announcement that it has enabled HTTPS encryption for all Yahoo Mail users is not only too little too late, but also quite troubling," said Tod Beardsley, Metasploit Engineering Manager at Rapid7.
Credit Where Credit is Due
Yahoo began offering security-conscious users the option to turn on HTTPS for themselves in late 2012. The latest change means the encryption is now turned on by default, protecting everyone, not just the ones who opted in for more security. Considering that most users never muck around in the settings, it's a good thing Yahoo has finally turned on HTTPS by default. Gmail has had HTTPS by default since 2010, Microsoft launched Outlook.com in July 2012 with this feature by default, and Facebook started rolling out HTTPS by default to users in November 2012.
Being late to the party wouldn't be so bad if Yahoo had actually thought through some of its security decisions. While deploying encryption by default is a "big step forward for Yahoo," the "new configuration leaves a lot to be desired," Ivan Ristic, director of application security research at security firm Qualys, told Security Watch. The biggest issue has to do with the fact that Yahoo decided not to support Perfect Forward Secrecy (PFS).
"Without Forward Secrecy, even encrypted data is feasibly at risk from private key compromise," Ristic warned.
A Quick PFS Primer
With basic HTTPS encryption, hackers (or government agents) who capture the data stream can't read the contents because they don't have Yahoo's private key. However, if they acquired the key at some later date, they could go back and decrypt the previously captured data. If the site implemented Perfect Foward Secrecy, then even if someone gained access to the key at a later date, that person can't go back and unlock all the older sessions.
There are a number of ways the private key could be exposed: an attack on Yahoo's servers to steal the key or discovering a weakness in the cipher itself. Yahoo may even hand over the key, either voluntarily or because of a court order.
"I can't think of a legitimate reason to prefer this weaker encryption strategy," Beardsley said.
Not Good EnoughThere are other problems with Yahoo's implementation, according to Ristic. Some of Yahoo's HTTPS email servers use RC4 as the preferred cipher, but RC4 is considered to be weak. Microsoft and Cisco recently phased out the use of RC4. It is also vulnerable to distributed-denial-of-service attacks because it supports client-initiated renegotiation, according to a report from SSL Labs.
SSL Labs grades Websites on the overal security of its SSL implementation. Yahoo has only a "B" rating.
Other servers, such as login.yahoo.com, uses AES. AES is better than RC4, but Yahoo did not implement security mitigations for known attacks such as BEAST, which targets TLS 1.0 and earlier protocols, and CRIME, a practical attack against how TLS is used in browsers. The site also supports "only older protocol versios, but not the most recent and more secure TLS 1.2," according to a report from SSL Labs.
Perhaps Yahoo is still working out the kinks and better security will be phased in over the next few weeks or months. But it would have been nice to explain its plans upfront. What about it Yahoo? Will you think about user security, instead of what's easier for your team to do?
No comments:
Post a Comment