Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Security Expert Calls Yahoo’s Implementation of HTTPS “Troubling”

HTTPS Encryption

On the surface, the fact that Yahoo! finally enabled HTTPS encryption for all Yahoo Mail users sounds like good news. However, one security expert called the move “too little too late” and found Yahoo’s actions “quite troubling.”

HTTPS Encryption

On the surface, the fact that Yahoo! finally enabled HTTPS encryption for all Yahoo Mail users sounds like good news. However, one security expert called the move “too little too late” and found Yahoo’s actions “quite troubling.”

As SecurityWeek reported, Yahoo announced this week that all Yahoo Mail communications—whether on the Web, mobile Web, mobile apps, or even via IMAP, POP and SMTP—would be encrypted by default using 2,048-bit certificates. This move will protect all the contents of emails, attachments, contacts, Calendar information, and even Messenger data, as they move between the user’s browser and Yahoo’s servers.

However, the fact that Yahoo decided not to support Perfect Forward Secrecy (PFS) “is worrisome,” Tod Beardsley, the Metasploit Engineering Manager at Rapid7, told SecurityWeek. This means that an adversary can still go ahead and record the encrypted session and then later try to get Yahoo’s private key. PFS is future-focused and addresses this “retrospective decryption” problem, he said.

In other words, an attacker can’t decrypt the session today because they don’t have the private key. But without PFS, there is nothing stopping the adversary from trying to get the key and trying to decrypt the contents later.

“I can’t think of a legitimate reason to prefer this weaker encryption strategy,” Beardsley said.

There are a number of ways the private key could be exposed, such as exploiting a vulnerability on Yahoo’s servers, discovering a weakness in the cipher itself, or if Yahoo hands over the key, either because it is cooperating or ordered to do so via a court warrant.

PFS starts an encrypted session with temporary keys that aren’t used for anything else and are good only for that session just before opening the HTTPS session. It doesn’t matter if the adversary somehow intercepts this key because it won’t unlock any other session. This means that a unique key has to be recovered for every single encrypted session.

Google, Facebook, and Twitter have adopted “far more secure” options, Beardsley said. The Elliptical Curve Diffie-Hellman Exchange (ECDHE) generates a one-time key for each session. Beardsley confirmed that Facebook, Twitter, Google, and search engine Duck Duck Go use ECDHE. Microsoft’s Live.com and Yahoo are not using FPS.

Advertisement. Scroll to continue reading.

SecurityWeek has reached out to Yahoo! for an explanation on why the company did not choose to support PFS, but has not received a response as of time of publication.

Related: Twitter Boosts Web Encryption with ‘Forward Secrecy’

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.