Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Security Expert Calls Yahoo’s Implementation of HTTPS “Troubling”

HTTPS Encryption

On the surface, the fact that Yahoo! finally enabled HTTPS encryption for all Yahoo Mail users sounds like good news. However, one security expert called the move “too little too late” and found Yahoo’s actions “quite troubling.”

HTTPS Encryption

On the surface, the fact that Yahoo! finally enabled HTTPS encryption for all Yahoo Mail users sounds like good news. However, one security expert called the move “too little too late” and found Yahoo’s actions “quite troubling.”

As SecurityWeek reported, Yahoo announced this week that all Yahoo Mail communications—whether on the Web, mobile Web, mobile apps, or even via IMAP, POP and SMTP—would be encrypted by default using 2,048-bit certificates. This move will protect all the contents of emails, attachments, contacts, Calendar information, and even Messenger data, as they move between the user’s browser and Yahoo’s servers.

However, the fact that Yahoo decided not to support Perfect Forward Secrecy (PFS) “is worrisome,” Tod Beardsley, the Metasploit Engineering Manager at Rapid7, told SecurityWeek. This means that an adversary can still go ahead and record the encrypted session and then later try to get Yahoo’s private key. PFS is future-focused and addresses this “retrospective decryption” problem, he said.

In other words, an attacker can’t decrypt the session today because they don’t have the private key. But without PFS, there is nothing stopping the adversary from trying to get the key and trying to decrypt the contents later.

“I can’t think of a legitimate reason to prefer this weaker encryption strategy,” Beardsley said.

There are a number of ways the private key could be exposed, such as exploiting a vulnerability on Yahoo’s servers, discovering a weakness in the cipher itself, or if Yahoo hands over the key, either because it is cooperating or ordered to do so via a court warrant.

PFS starts an encrypted session with temporary keys that aren’t used for anything else and are good only for that session just before opening the HTTPS session. It doesn’t matter if the adversary somehow intercepts this key because it won’t unlock any other session. This means that a unique key has to be recovered for every single encrypted session.

Google, Facebook, and Twitter have adopted “far more secure” options, Beardsley said. The Elliptical Curve Diffie-Hellman Exchange (ECDHE) generates a one-time key for each session. Beardsley confirmed that Facebook, Twitter, Google, and search engine Duck Duck Go use ECDHE. Microsoft’s Live.com and Yahoo are not using FPS.

SecurityWeek has reached out to Yahoo! for an explanation on why the company did not choose to support PFS, but has not received a response as of time of publication.

Related: Twitter Boosts Web Encryption with ‘Forward Secrecy’

Written By

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).