Security Expert: Yahoo's Email Encryption Needs Work

itwbennett writes "On Tuesday, Yahoo delivered on a promise that it made in October to enable email encryption for everyone by default by January 8. While this is a great step, the company's HTTPS implementation appears to be inconsistent across servers and even technically insecure in some cases, according to Ivan Ristic, director of application security research at security firm Qualys. For example, some of Yahoo's HTTPS email servers use RC4 as the preferred cipher with most clients. 'RC4 is considered weak, which is why we advise that people either don't use it, or if they feel they must, use it as a last resort,' Ristic said."

Ya-what?

[hoifelot]

I don't understand how yahoo can be alive today. It's been way behind competitors for about a decade. This type of story fits right in with that picture. Okay, if they are still alive, I guess they must be making money. But I'm happy they are still around. Now and then I find that I need to reconnect with a site I haven't used for years, where I registered with my yahoo address... And in that case, it's nice that I'm able to receive a password reset link. But what's the attraction today, besides that?

Re:Ya-what?

[metrix007]

Because it leads in Asia, ahead of Google.

Re: Ya-what?

[hoifelot]

My own opinion has been that Hotmail was far inferior to both Google's and Yahoo's offerings. In that light, Google was the only better alternative. Thus "competitor" :-)

Re:Ya-what?

[TheloniousToady]

OK, I'll bite. There still are a few things they do well. For example, their Finance feature is among the best in class of financial information (IMHO).

I began using their email system as a POP server years ago, mainly because I thought the spam filtering worked very well. At some point, they changed their system so that you had to use their address as the reply address, so I began using that rather than my website's forwarding address. Although that should have alienated me and made me go elsewhere, I stuck with them, so now people are used to replying to the Yahoo address and it's hard to switch to something else.

I used to use their "classic" (old-fashioned) mail but they forced me and everyone else out of that last year. So, I got used to the new email interface and even generally like it now, but the performance problems still are inexcusable. For example, I sent one email several times the other day after their system said it had failed to send it, then multiple copies of it appeared in my "Sent" list. So, did it go out or not? - who knows?

Their longstanding "Groups" system still has some attractive features. I tried to find a replacement for it recently for an email list I've run for several years, and I couldn't find any similar free and ready-made (no installation) email group service that allows users to subscribe themselves.

There seems to be a theme lately of Yahoo changing the cosmetics of their system as often as possible. However, they don't seem to understand that users don't want change unless there is a clear benefit to them. And users also don't want continuous change - they need time to digest each new thing that's foisted on them. Yahoo also seems to be disregarding the impact all these changes have on system performance. Even after tolerating senseless change, I'm just about ready to abandon their email due to its increasingly poor performance.

I find their search to be OK, though I'm not particularly loyal to it. Honestly, I can't tell much difference between Yahoo/Bing search and Google, so I just use whichever one comes up in the browser I happen to be using. However, my perception is that Google is very slightly better.

Overall, the challenge for Yahoo is to modernize their systems after years of neglect, while retaining the things that people like about them (in my case: finance, spam filtering, and groups), without impacting quality in terms of performance and security. They might get to the Promised Land one day, but there's a lot of desert to cross first.

Re: Ya-what?

[SQLGuru]

The recent revamps to Bing / Outlook.com (nee Live.com nee Hotmail.com) have made it better than Yahoo (in my opinion --- and many tech blogs as well). But what Yahoo has going for it is that the high-inertia crowd has been using it for a while and won't budge from it. I know a lot of tech un-savvy baby boomers who won't leave Yahoo because they don't know how to transfer their information and don't want to lose their history. (It's the same crowd that still pays for AOL.)

Re:Ya-what?

[Bill+Dimm]

There still are a few things they do well. For example, their Finance feature is among the best in class of financial information (IMHO).

Except that their charts show the price of the stock/fund without adjusting for dividends, i.e. there is no way to graph "adjusted price" or "growth of a $1000 investment." So, when a mutual fund makes a big capital gain payout, which has no economic significance (they hand you a check for $X per share and the share price drops by $X), the chart shows a big dip. If you try to chart two securities together to compare them it is totally misleading because of the economically meaningless dips when there is a dividend or capital gain payout. They have the data to do this right, it is displayed as the "Adj Close" in the "historical prices" table, but they don't make it available in the charts. When they've been doing something that dumb for over a decade in spite of complaints, how can you trust anything they do?

Re: Ya-what?

[Zumbs]

But what Yahoo has going for it is that the high-inertia crowd has been using it for a while and won't budge from it. I know a lot of tech un-savvy baby boomers who won't leave Yahoo because they don't know how to transfer their information and don't want to lose their history. (It's the same crowd that still pays for AOL.)

The main reason not to leave your current provider is that decade worth of friends and contacts who know your email address and will most likely continue to use your old email address for quite a while after you switch. I know from experience: I switched from hotmail 8 years ago, and still get the occasional email from a friend there.

Momentum

[sqrt(2)]

It was around at the right time to capture a large percentage of normies just getting online for the first time. These people don't like change. They don't really "like" computers in general. To them they're just tools; very frustrating and obtuse tools. Changing e-mail addresses is far more trouble than it is worth--we can barely get these people to give up Windows XP.

Re:Momentum

[Arker]

Lots of these people actually think their email account is tied to their computer. They think they would have to get a new computer to change email accounts.

Re: Momentum

[hoifelot]

You're absolutely right. I forgot that changing your email address can be a big hurdle/insurmountable task for many people.

Re: Momentum

[hoifelot]

Wow is all I can say. I had no idea so many people are so incompetent.

Re:Momentum

[Mashiki]

Lots of these people actually think their email account is tied to their computer. They think they would have to get a new computer to change email accounts.

I suppose that's possible. After all, people have long grown up with the address=home. In turn, computer = unique address, and they don't see a mechanism(to transfer-though not needed), for their new computer like they would with a house/apt/etc. Though I will say in the 18 years I've been working with computers I've never seen this.

Re: Momentum

[clickclickdrone]

You think that's bad? I know someone who has been using Windows daily in their job for 20 years and yet they have never heard of/seen Windows Explorer (not IE) and only found out that start/all programs lets you see what apps you have, a few weeks ago. They save all their IE short cuts to the desktop, not to IE. Basically, their desktop is one huge splat of shortcuts to apps and web pages. They even keep their photos and docs there (mercifully in a folder).

Re:Momentum

[Monoman]

Exactly. The same kind of people still have AOL accounts... heck I know one or two MSN customers too. These "portals" are the Internet to them. Luckily for Y!/AOL their remaining customers are plentiful and don't know how to block ads.

Progress.

[ptudor]

It's important to remember that only a year ago RC4 was a recommended solution and TLS1.2 support in browsers like Firefox and older operating systems has been slow to arrive. So I look at this as an important first step, with progressive refinements sure to follow. In the same way that Facebook introduced https in response to Tunisia and slowly made it an option for all users before making it default, Yahoo, while slow in adopting a model of default security, has to walk similar steps. They may have had an SSL-beta-option for the last year, but given their AOL-Like user base, I can understand being conservative in adopting new methods and being liberal in the ciphers they provide. Someone using Chrome in Mavericks may expect support for SPDY3 with AES-GCM, but for a user base that may be using IE6 or FF3 on XP still, for a company that caters to people who will never know what GCM or SHA2 is it best to avoid the headline, "Yahoo Mail is Broken for tens of thousands of users." They'll get there. Thanks for trying, Yahoo.

Now, can someone at Microsoft turn on STARTTLS? For that matter, I wish NANOG would turn on STARTTLS for inbound connections.

Also, IPv6... please... IPv6...

"[U]se [RC4] as a last resort."

[cffrost]

Unfortunately — in Firefox, at least — ciphers can only be toggled, not given a priority. Control over cipher selection (and other HTTPS parameters, such as key length, key exchange, hash (MD5/SHA)., etc.) lies with the server operator. In my own testing, the arbitrated HTTPS parameters are most frequently prioritized in some order without regard to strength, or prioritized from weakest-to-strongest (or perhaps least-to-most expensive to execute).

In order to retain manageable security, I have only TLS 1.0-1.2 enabled, MD5 disabled, all RC4-employing combos disabled, with the last being switchable via a check box provided by "CipherFox." (Additional features of use to "CipherFox" users are provided by "Calomel SSL Validation."; I recommend both.)

Even good ciphers are mostly useless

[abies]

I wonder, in real world, how big percentage of the attacks are performed by man-in-the-middle (where strength of cypher matters). Between

1) 3 letter agencies just accessing content directly on Yahoo servers
2) Somebody hacking router between you and Yahoo (or evesdropping on physical line) and performing very costly cypher break
3) Having trojan/keylogger/whatever on your machine giving access to everything

How much point 2 is a problem compared to 1 and 3? People can write a lot about how usage of bad cipher will allow your mails to be cracked in 1 day instead of 5 billion years... but probably 99% of compromised emails are accessed through 1 or 3.

It is like with optimizing code. You could optimize hotspot where 99% of cpu time is spent, but it is hard. So instead you optimize all things around, making other 1% order of magnitudes faster and then forget than you cannot do anything about remaining 99%...

Re:Even good ciphers are mostly useless

[ptudor]

I'd add a #4, or #2a, Man-In-The-Middle the certificate. Diginotar's compromise, never the huge bundle of trusted certificates in every browser/OS, makes it easy. Whatever an enterprise can do with GPOs and Websense can happen in the wild too. (I kinda prefer self-signed certificates anymore.)

Overall I agree, but I still cry out in pain when I see people choosing to use 3DES and disable PFS.

Re:Even good ciphers are mostly useless

[CastrTroy]

Yeah, this reminds me of my security professor's opinion on SSL. It's great at what it does, but it pretty much does nothing to stop your credit card number from being stolen. It's a good idea to encrypt your credit card information when sending it to the online store. It's a better idea to come up with a payment system where you don't have to send your credit card info to the online store. Personally, I think that PayPal has done more for payment security than SSL has. At least with PayPal, only they need to know my credit card details, and the seller still gets their money. Ideally the credit card companies would have set up a system. So that nobody outside you and the credit card company has to know your credentials. The store just needs a cryptographically signed receipt saying that the money was transferred.

What is keeping Yahoo up?

[korbulon]

Yahoo reminds me of a journeyman heavyweight boxer taking the champ into deep rounds despite taking a serious beating. He simply will not go down.

They impress for sheer resilience, if for nothing else.

Re:What is keeping Yahoo up?

[VortexCortex]

In order for me to thrive as a business I merely need to make enough money to pay expenses and employees. I don't have to defeat the heavyweight. I just have to dodge their blows.

The stock market's demand for growth is untenable. Overextended businesses die; The name for unchecked growth is cancer. I've discovered that business maturity exists. Focusing on improving my services and better ability to meet customer needs / better dialog beats overextension through growth hands down. On the public market I'd be slaughtered. I refuse to grow faster than necessary. This way I can stay more nimble and adjust to changes and new tech faster than my competition. Instead of growing, I concentrated on streamlining agility. Eg: You could invent 50 new platforms tomorrow. In one year, I'll have support for them all without requiring any growth to gain the specialization. I have an excellent platform abstraction layer.

I'm not partial to Yahoo, but their board has more sane business sense than most. Their retention isn't necessarily impressive, but to dodge blows while in dire need of a tourniquet is commendable. It's caused them to make some compromising business decisions, however.

This is not "email encryption"

[daveewart]

While the article is correct and uses precise terminology, the summary is wrong to use the term "email encryption". That term is for encrypted email messages using PGP/GPG/S-MIME.

Yahoo have no framework for email encryption. This article is about use of HTTPS for their webmail service and (a) whether that has been implemented and, if so, (b) whether it has been done correctly.

The answers to which are: (a) mostly and (b) no.

Why don't people use "real" e-mail clients?

[CronoCloud]

Why do people insist on using a web browser to read their mail instead of a proper e-mail client that implements proper TLS and every other feature that an e-mail client has that the web interface doesn't. It's not like people can't access their webmail over proper IMAP or POP3, which has advantages like seeing no advertising and the ability to use GnuPG or S/MIME encryption if one wants.

I gave up with Yahoo

[danknight48]

I got sick to death of my 10+ year yahoo account being "compromised", just out of the blue. My passwords are always secure using multiple caps/numbers/symbols etc.
My gmail/hotmail accounts never gave me this hassle.

Everytime you want to "recover" your account, you have to siv through pages, and pages of crap. Once you confirm your account with another email on file, you then have to provide your current password (which has been compromised and changed) to get in.
This could all be avoided if Yahoo mail actually had a "SECURE" system in the 1st place.

Hence why i haven't bothered with Yahoo Mail since. Yahoo is too far behind and too careless for my attention.
Hotmail and Gmail is all you need, and, will save you so much frustration.

Re:I don't understand this reasoning at all

[cffrost]

So if a website gives you only HTTPS with RC4 or HTTP in clear text as options - why would you choose clear text?

This is totally illogical. Yes RC4 sucks but it is better than clear text - ANYTHING is better than clear text. The only possible argument for this would be "false sense of security", but if you think average people pay any attention to that padlock in the status bar, you are delusional.

I agree with you wholeheartedly — in fact, I accept some questionable certs in my zeal to transfer ciphertext instead of plaintext.

However, I neglected to mention in my previous post that I also use EFF's "HTTPS Everywhere," and an extension for that extension called "HTTPS Finder" — the former forces HTTPS if the host is known to support it, and the latter forces HTTPS if an HTTPS connection is possible (and creates a new rule for "HTTPS Everywhere"), even with requisite security.ssl3. cipher suites disabled in about:config .

(I figured anyone knuckle-deep in their browser's HTTPS configuration would be aware of them (and hopefully, using them). I recommend both, emphatically — "HTTPS Everywhere" alone yields a vast improvement in security/privacy, and has the benefit of a very long, expert-managed list of defaults.)

Thus, if RC4 is needed and I have it disabled, I'll be presented with an "ssl_error_no_cypher_overlap" error page, then I enable RC4 and reload. The only weakness there is in my forgetting to re-disable RC4, but the two extensions I mentioned in my initial post help in this effort, alerting me in various ways if/when I connect to another host using weak security:

"CipherFox" displays the cipher suite (or configurable portions thereof) in use on the status bar (e.g., it shows me "AES-256 RSA-4096 SHA1" on DDG), as well as providing the "Enable RC4" check-item on the Tools menu.

"Calomel SSL Validation" displays (on my nav. bar) a color-coded shield that represents a percentage security rating based on weighted factors drawn from the cert and cipher suite, the breakdown of which is displayed via clicking the shield icon.

RC4, BEAST, perfect forward security, recommendati

It's important to remember that only a year ago RC4 was a recommended solution and TLS1.2 support in browsers like Firefox and older operating systems has been slow to arrive.

It was only recommended as a counter to the BEAST attack, which exploited the way block ciphers worked. Since RC4 is a stream cipher it was not subject to this exploit, but a lot of people were uneasy about the recommendation. This is because while it was resilient against BEAST, everyone knew that RC4 was/is on its last legs, but it was the lesser of two evils.

When a workaround for BEAST was created (n/n-1 record splitting), and implemented in just about every browser, the BEAST attack became mostly moot, and at that point people should have put RC4 lower down on the list of allowed ciphers, whose only purpose was to support legacy clients (read: XP).

So basically RC4 should have been put at the bottom of the cipher list for about 18-24 months:

        https://www.imperialviolet.org/2012/01/15/beastfollowup.html

If you're running a Unix system with OpenSSL 0.9.8, then put the following in your Apache configuration:

        SSLHonorCipherOrder On
        SSLCipherSuite DHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA:HIGH:!MD5:!ADH:!DES

If you have OpenSSL 1.0.1+, then:

        SSLHonorCipherOrder On
        SSLCipherSuite ECDH+AES128:DH+AES128:RSA+AES128:RC4-SHA:HIGH:!ADH:!AECDH:!MD5:!DES

More details:

        https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

TLS 1.2 everwhere will add to the security, but the above will go a long way for SSL 3 and TLS 1.0:

        https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what

PS: the above two weblogs are two good resources on keep up to date on TLS stuff. The traffic is low, and so when they do post, it's usually worth looking at.

Coincidence

[justthinkit]

I ran into someone yesterday with an MSN address -- the 72-year-old contractor about to repair my sidewalk.

The only person I deal with regularly using an AOL account is my in-law/accountant -- age 74.

Sounds like a two horse race to me. Wait, what about webtv?

Re:Coincidence

[CronoCloud]

Wait, what about webtv?

I'm a former webtv/msntv user, last used it in 2002. They shut down the service in September of last year. The addresses were transferred over to outlook.com so you might still see webtv.net addresses.