Re: yahoo mail login security

["Sels, Roger" <roger.sels () gov-fbi net>]

On Wed, May 3, 2006 4:33 pm, Ace123 wrote:
> On 5/3/06, Sels, Roger <roger.sels () gov-fbi net> wrote:
>
> > 2. Sessions are recognized through a series of cookies set by hotmail.
> > Sniffing the URL someone is using to access their hotmail account will
> > not
> > gain you access to that mailbox.
>
> Not just the URL, but the cookies too. I've browser addon that shows
> me all the ssl content in clear. The cookies are many and very
> obfuscated.
>
> > I don't see why non-SSL content couldn't be mixed with SSL-protected
> > content,
>
>
> Mixed content gives a warning to the end user.

True, but this doesn't mean it's unusable. So the reason can't be "because
third-party sources don't know how to speak SSL".

> > but I don't really see a point in encrypting those communications
> > anyways.
>
> Well, I am only trying to figure out what is stopping yahoo and
> hotmail from using ssl for all the communication, if they have a
> reason. As someone pointed out, gmail can do that if you start with
> https://gmail.google.com.
>
> > It's a free, public e-mail service. You know up front what you are
> > getting.
> > Also consider it really helps local law enforcement agencies: it makes
> > it
> > easier to monitor e-mail conversations as the technically clueless
> > reveals
> > his master plans for world domination using hotmail or when thieves
> > discuss the genuinity of a stolen Rembrandt based on pictures they put
> > on
> > their MSN Space... ;-)
>
> While this can be the answer to my question above, I hope it is not
> the only one. Or is it?

That's just my personal guess. I really can't come up with a better reason
than that ;-)

> > 3. Not me, sorry.
Kr
> >
Roger
> > On Tue, May 2, 2006 8:00 am, Ace123 wrote:
> > > 1. Would it then be wise to send the md5 hash over ssl?
> > >
> > > 2. Yahoo is not alone in switching to http for email after
> > > authenticating the user, both hotmail and gmail do the same. One
> > > reason I can think of why they do this is, the various resources in
> > > their pages come from different domains (possibly 3rd party) and they
> > > can't ask for all of them to do SSL. Do you know of any other reasons?
> > >
> > > 3. The cookie names these guys use are very tricky, there are usually
> > > many cookies and it is not clear why of them represents the session,
> > > so that we can take that cookie, set it in our browser and check out
> > > other's email. Ofcourse, it might be possible to set all the cookies
> > > that we see there, but I have not tried that. Has anyone done any
> > > research on what each of the cookies is used for, in
> > > yahoo/hotmail/gmail?
> > >
> > > Thanks!
> > >
> > >
> > > On 5/2/06, ROB DIXON <rdixon () workforcewv org> wrote:
> > > > exactly
> > > >
> > > > Robert L. Dixon,  CHFI
> > > > State of West Virginia's
> > > > West Virginia Office of Technology
> > > > Infrastructure Applications
> > > > Netware/GroupWise Administrator
> > > > Telephone: (304)-558-5472 ex.4225
> > > > ------------------------------------------
> > > > If you spend more on coffee than on IT security, you will be hacked.
> > > > What's more, you deserve to be hacked.
> > > > -- former White House cybersecurity czar Richard Clarke
> > > > > > > "Matt Fisher" <mfisher () spidynamics com>  >>>
> > > > Don't they revert back to HTTP after auth anyhow ?
> > > > Protect my credentials all you want, but if you give up my email on
> > the
> > > > wire(less) I'm switching regardless.
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: ROB DIXON [mailto:rdixon () workforcewv org]
> > > > Sent: Monday, May 01, 2006 3:51 PM
> > > > To: flace9 () gmail com; vanderaj () greebo net
> > > > Cc: webappsec () securityfocus com
> > > > Subject: Re: yahoo mail login security
> > > >
> > > > If you are capturing the form submission via MITM then would SSL not
> > be
> > > > just as trivial via Cain and Able.\
> > > >
> > > > Granted it would be obvious since the SSL cert would appear to be
> > > > invalid, but not everyone is that savy.
> > > >
> > > > Robert L. Dixon,  CHFI
> > > > State of West Virginia's
> > > > West Virginia Office of Technology
> > > > Infrastructure Applications
> > > > Netware/GroupWise Administrator
> > > > Telephone: (304)-558-5472 ex.4225
> > > > ------------------------------------------
> > > > If you spend more on coffee than on IT security, you will be hacked.
> > > > What's more, you deserve to be hacked.
> > > > -- former White House cybersecurity czar Richard Clarke
> > > > > > > Andrew van der Stock <vanderaj () greebo net>  >>>
> > > > Several reasons:
> > > >
> > > > 1. MD5 does protect the password... as long as it is salted
> > > > correctly. Unsalted MD5 hashes are trivially breakable using rainbow
> > > > attacks, and are unsuitable for most uses (despite heavy usage by
> > > > many programs in exactly this fashion).
> > > >
> > > > 2. Replay attacks on public networks. Capturing the form submission
> > > > (trivial without SSL) would allow an attacker to replay the
> > > > conversation and log on as the identity without any issues
> > > >
> > > > 3. MD5 is provably weak as a hash - see the work of Wang et al:
> > > >
> > > > http://eprint.iacr.org/2004/199.pdf
> > > >
> > > > 4. Javascript on the client is not a trusted environment. Minimizing
> > > > the trust of security weak components is a good design goal.
> > > >
> > > > 5. SSL is cheap. A certificate costs less than $100 these days and
> > > > solves many of these issues.
> > > >
> > > > Andrew
> > > >
> > > >
> > > >
> > > > On 30/04/2006, at 5:55 PM, Ace123 wrote:
> > > >
> > > > > Clicking on "Why this is secure" link on the yahoo login page gives
> > > > > this:
> > > > >
> > > > > "Yahoo! now submits your ID and password securely via SSL (Secure
> > > > > Sockets Layer) encryption. This means that your personal
> > information
> > > > > is more secure every time you sign in.
> > > > >
> > > > > In the past, Yahoo! used a challenge-response mechanism to protect
> > > > > passwords using MD5. Passwords were scrambled using a one-way hash,
> > so
> > > > > that they could not be converted to clear text."
> > > > >
> > > > >
> > > > > What could be the reasons why yahoo changed their login security
> > > > > mechanism?
> > > > >
> > > > > ----------------------------------------------------------------------
> > > >
> > > > > ---
> > > > > Sponsored by: Watchfire
> > > > >
> > > > > Watchfire's AppScan is the industry's first and leading web
> > > > > application
> > > > > security testing suite, and the only solution to provide
> > comprehensive
> > > > > remediation tasks at every level of the application. Change the way
> > > > > you
> > > > > think about application security testing - See for yourself.
> > > > > Download a Free Trial of AppScan 6.0 today!
> > > > >
> > > > > https://www.watchfire.com/securearea/appscansix.aspx?
> > > > > id=701300000007kaF
> > > > > ----------------------------------------------------------------------
> > > >
> > > > > ----
> > > >
> > > >
> > > >
> > > > ------------------------------------------------------------------------
> > > > -
> > > > Sponsored by: Watchfire
> > > >
> > > > The Twelve Most Common Application-level Hack Attacks
> > > > Hackers continue to add billions to the cost of doing business online
> > > > despite security executives' efforts to prevent malicious attacks.
> > This
> > > > whitepaper identifies the most common methods of attacks that we have
> > > > seen,
> > > > and outlines a guideline for developing secure web applications.
> > > > Download this whitepaper today!
> > > >
> > > > https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
> > > > ------------------------------------------------------------------------
> > > > --
> > >
> > > -------------------------------------------------------------------------
> > > Sponsored by: Watchfire
> > >
> > > The Twelve Most Common Application-level Hack Attacks
> > > Hackers continue to add billions to the cost of doing business online
> > > despite security executives' efforts to prevent malicious attacks.
> > This
> > > whitepaper identifies the most common methods of attacks that we have
> > > seen,
> > > and outlines a guideline for developing secure web applications.
> > > Download this whitepaper today!
> > >
> > > https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
> > > --------------------------------------------------------------------------
> >
> >
> > --
> > Life is 10 percent what you make it and 90 percent how you take it. -
> > Irving Berlin
> >
> >
> > -------------------------------------------------------------------------
> > Sponsored by: Watchfire
> >
> > The Twelve Most Common Application-level Hack Attacks
> > Hackers continue to add billions to the cost of doing business online
> > despite security executives' efforts to prevent malicious attacks. This
> > whitepaper identifies the most common methods of attacks that we have
> > seen,
> > and outlines a guideline for developing secure web applications.
> > Download this whitepaper today!
> >
> > https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
> > --------------------------------------------------------------------------


-- 
Life is 10 percent what you make it and 90 percent how you take it. -
Irving Berlin


-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------