Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Expert: Yahoo's Email Encryption Needs Work

Posted by samzenpus on from the feeling-secure dept.

itwbennett writes "On Tuesday, Yahoo delivered on a promise that it made in October to enable email encryption for everyone by default by January 8. While this is a great step, the company's HTTPS implementation appears to be inconsistent across servers and even technically insecure in some cases, according to Ivan Ristic, director of application security research at security firm Qualys. For example, some of Yahoo's HTTPS email servers use RC4 as the preferred cipher with most clients. 'RC4 is considered weak, which is why we advise that people either don't use it, or if they feel they must, use it as a last resort,' Ristic said."

6 of 123 comments (clear)

  1. Ya-what? by hoifelot · · Score: 5, Insightful

    I don't understand how yahoo can be alive today. It's been way behind competitors for about a decade. This type of story fits right in with that picture. Okay, if they are still alive, I guess they must be making money. But I'm happy they are still around. Now and then I find that I need to reconnect with a site I haven't used for years, where I registered with my yahoo address... And in that case, it's nice that I'm able to receive a password reset link. But what's the attraction today, besides that?

    1. Re:Ya-what? by TheloniousToady · · Score: 5, Interesting

      OK, I'll bite. There still are a few things they do well. For example, their Finance feature is among the best in class of financial information (IMHO).

      I began using their email system as a POP server years ago, mainly because I thought the spam filtering worked very well. At some point, they changed their system so that you had to use their address as the reply address, so I began using that rather than my website's forwarding address. Although that should have alienated me and made me go elsewhere, I stuck with them, so now people are used to replying to the Yahoo address and it's hard to switch to something else.

      I used to use their "classic" (old-fashioned) mail but they forced me and everyone else out of that last year. So, I got used to the new email interface and even generally like it now, but the performance problems still are inexcusable. For example, I sent one email several times the other day after their system said it had failed to send it, then multiple copies of it appeared in my "Sent" list. So, did it go out or not? - who knows?

      Their longstanding "Groups" system still has some attractive features. I tried to find a replacement for it recently for an email list I've run for several years, and I couldn't find any similar free and ready-made (no installation) email group service that allows users to subscribe themselves.

      There seems to be a theme lately of Yahoo changing the cosmetics of their system as often as possible. However, they don't seem to understand that users don't want change unless there is a clear benefit to them. And users also don't want continuous change - they need time to digest each new thing that's foisted on them. Yahoo also seems to be disregarding the impact all these changes have on system performance. Even after tolerating senseless change, I'm just about ready to abandon their email due to its increasingly poor performance.

      I find their search to be OK, though I'm not particularly loyal to it. Honestly, I can't tell much difference between Yahoo/Bing search and Google, so I just use whichever one comes up in the browser I happen to be using. However, my perception is that Google is very slightly better.

      Overall, the challenge for Yahoo is to modernize their systems after years of neglect, while retaining the things that people like about them (in my case: finance, spam filtering, and groups), without impacting quality in terms of performance and security. They might get to the Promised Land one day, but there's a lot of desert to cross first.

  2. Re:Momentum by Arker · · Score: 5, Funny

    Lots of these people actually think their email account is tied to their computer. They think they would have to get a new computer to change email accounts.

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.
  3. Progress. by ptudor · · Score: 5, Interesting

    It's important to remember that only a year ago RC4 was a recommended solution and TLS1.2 support in browsers like Firefox and older operating systems has been slow to arrive. So I look at this as an important first step, with progressive refinements sure to follow. In the same way that Facebook introduced https in response to Tunisia and slowly made it an option for all users before making it default, Yahoo, while slow in adopting a model of default security, has to walk similar steps. They may have had an SSL-beta-option for the last year, but given their AOL-Like user base, I can understand being conservative in adopting new methods and being liberal in the ciphers they provide. Someone using Chrome in Mavericks may expect support for SPDY3 with AES-GCM, but for a user base that may be using IE6 or FF3 on XP still, for a company that caters to people who will never know what GCM or SHA2 is it best to avoid the headline, "Yahoo Mail is Broken for tens of thousands of users." They'll get there. Thanks for trying, Yahoo.

    Now, can someone at Microsoft turn on STARTTLS? For that matter, I wish NANOG would turn on STARTTLS for inbound connections.

    Also, IPv6... please... IPv6...

  4. Even good ciphers are mostly useless by abies · · Score: 5, Insightful

    I wonder, in real world, how big percentage of the attacks are performed by man-in-the-middle (where strength of cypher matters). Between

    1) 3 letter agencies just accessing content directly on Yahoo servers
    2) Somebody hacking router between you and Yahoo (or evesdropping on physical line) and performing very costly cypher break
    3) Having trojan/keylogger/whatever on your machine giving access to everything

    How much point 2 is a problem compared to 1 and 3? People can write a lot about how usage of bad cipher will allow your mails to be cracked in 1 day instead of 5 billion years... but probably 99% of compromised emails are accessed through 1 or 3.

    It is like with optimizing code. You could optimize hotspot where 99% of cpu time is spent, but it is hard. So instead you optimize all things around, making other 1% order of magnitudes faster and then forget than you cannot do anything about remaining 99%...

  5. This is not "email encryption" by daveewart · · Score: 5, Informative

    While the article is correct and uses precise terminology, the summary is wrong to use the term "email encryption". That term is for encrypted email messages using PGP/GPG/S-MIME.

    Yahoo have no framework for email encryption. This article is about use of HTTPS for their webmail service and (a) whether that has been implemented and, if so, (b) whether it has been done correctly.

    The answers to which are: (a) mostly and (b) no.

    --
    "If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe