WebApp Sec mailing list archives
Re: yahoo mail login security
From: Andrew van der Stock <vanderaj () greebo net>
Date: Mon, 1 May 2006 17:22:33 +1000
Several reasons:1. MD5 does protect the password... as long as it is salted correctly. Unsalted MD5 hashes are trivially breakable using rainbow attacks, and are unsuitable for most uses (despite heavy usage by many programs in exactly this fashion).
2. Replay attacks on public networks. Capturing the form submission (trivial without SSL) would allow an attacker to replay the conversation and log on as the identity without any issues
3. MD5 is provably weak as a hash - see the work of Wang et al: http://eprint.iacr.org/2004/199.pdf4. Javascript on the client is not a trusted environment. Minimizing the trust of security weak components is a good design goal.
5. SSL is cheap. A certificate costs less than $100 these days and solves many of these issues.
Andrew On 30/04/2006, at 5:55 PM, Ace123 wrote:
Clicking on "Why this is secure" link on the yahoo login page gives this:"Yahoo! now submits your ID and password securely via SSL (Secure Sockets Layer) encryption. This means that your personal information is more secure every time you sign in. In the past, Yahoo! used a challenge-response mechanism to protect passwords using MD5. Passwords were scrambled using a one-way hash, so that they could not be converted to clear text."What could be the reasons why yahoo changed their login security mechanism?---------------------------------------------------------------------- ---Sponsored by: WatchfireWatchfire's AppScan is the industry's first and leading web applicationsecurity testing suite, and the only solution to provide comprehensiveremediation tasks at every level of the application. Change the way youthink about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today!https://www.watchfire.com/securearea/appscansix.aspx? id=701300000007kaF ---------------------------------------------------------------------- ----
Attachment:
smime.p7s
Description:
Current thread:
- yahoo mail login security Ace123 (Apr 30)
- Re: yahoo mail login security Andrew van der Stock (May 01)
- <Possible follow-ups>
- Re: yahoo mail login security ROB DIXON (May 01)
- RE: yahoo mail login security Matt Fisher (May 01)
- Re: yahoo mail login security Ace123 (May 01)
- Re: yahoo mail login security Sels, Roger (May 03)
- Re: yahoo mail login security Ace123 (May 03)
- Re: yahoo mail login security Sels, Roger (May 03)
- Re: yahoo mail login security Sels, Roger (May 03)
- Re: Re: yahoo mail login security Damon Leung (May 03)
- Re: Re: yahoo mail login security Darren Bounds (May 04)
- Re: Re: yahoo mail login security Prakash Kailasa (May 05)
- Re: Re: yahoo mail login security Darren Bounds (May 05)
- Re: Re: yahoo mail login security Darren Bounds (May 04)