On the surface, the fact that Yahoo! finally enabled HTTPS encryption for all Yahoo Mail users sounds like good news. However, one security expert called the move “too little too late” and found Yahoo’s actions “quite troubling.”
As SecurityWeek reported, Yahoo announced this week that all Yahoo Mail communications—whether on the Web, mobile Web, mobile apps, or even via IMAP, POP and SMTP—would be encrypted by default using 2,048-bit certificates. This move will protect all the contents of emails, attachments, contacts, Calendar information, and even Messenger data, as they move between the user’s browser and Yahoo’s servers.
However, the fact that Yahoo decided not to support Perfect Forward Secrecy (PFS) “is worrisome,” Tod Beardsley, the Metasploit Engineering Manager at Rapid7, told SecurityWeek. This means that an adversary can still go ahead and record the encrypted session and then later try to get Yahoo’s private key. PFS is future-focused and addresses this “retrospective decryption” problem, he said.
In other words, an attacker can’t decrypt the session today because they don’t have the private key. But without PFS, there is nothing stopping the adversary from trying to get the key and trying to decrypt the contents later.
“I can’t think of a legitimate reason to prefer this weaker encryption strategy,” Beardsley said.
There are a number of ways the private key could be exposed, such as exploiting a vulnerability on Yahoo’s servers, discovering a weakness in the cipher itself, or if Yahoo hands over the key, either because it is cooperating or ordered to do so via a court warrant.
PFS starts an encrypted session with temporary keys that aren’t used for anything else and are good only for that session just before opening the HTTPS session. It doesn’t matter if the adversary somehow intercepts this key because it won’t unlock any other session. This means that a unique key has to be recovered for every single encrypted session.
Google, Facebook, and Twitter have adopted “far more secure” options, Beardsley said. The Elliptical Curve Diffie-Hellman Exchange (ECDHE) generates a one-time key for each session. Beardsley confirmed that Facebook, Twitter, Google, and search engine Duck Duck Go use ECDHE. Microsoft’s Live.com and Yahoo are not using FPS.
SecurityWeek has reached out to Yahoo! for an explanation on why the company did not choose to support PFS, but has not received a response as of time of publication.
Related: Twitter Boosts Web Encryption with ‘Forward Secrecy’