|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: yahoo mail login security
From: ROB DIXON (rdixon
workforcewv.org)
Date: Mon May 01 2006 - 14:50:49 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
If you are capturing the form submission via MITM then would SSL not be just as trivial via Cain and Able.\
Granted it would be obvious since the SSL cert would appear to be invalid, but not everyone is that savy.
Robert L. Dixon, CHFI
State of West Virginia's
West Virginia Office of Technology
Infrastructure Applications
Netware/GroupWise Administrator
Telephone: (304)-558-5472 ex.4225
------------------------------------------
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke
>>> Andrew van der Stock <vanderajgreebo.net> >>>
Several reasons:
1. MD5 does protect the password... as long as it is salted
correctly. Unsalted MD5 hashes are trivially breakable using rainbow
attacks, and are unsuitable for most uses (despite heavy usage by
many programs in exactly this fashion).
2. Replay attacks on public networks. Capturing the form submission
(trivial without SSL) would allow an attacker to replay the
conversation and log on as the identity without any issues
3. MD5 is provably weak as a hash - see the work of Wang et al:
http://eprint.iacr.org/2004/199.pdf
4. Javascript on the client is not a trusted environment. Minimizing
the trust of security weak components is a good design goal.
5. SSL is cheap. A certificate costs less than $100 these days and
solves many of these issues.
Andrew
On 30/04/2006, at 5:55 PM, Ace123 wrote:
> Clicking on "Why this is secure" link on the yahoo login page gives
> this:
>
> "Yahoo! now submits your ID and password securely via SSL (Secure
> Sockets Layer) encryption. This means that your personal information
> is more secure every time you sign in.
>
> In the past, Yahoo! used a challenge-response mechanism to protect
> passwords using MD5. Passwords were scrambled using a one-way hash, so
> that they could not be converted to clear text."
>
>
> What could be the reasons why yahoo changed their login security
> mechanism?
>
> ----------------------------------------------------------------------
> ---
> Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and leading web
> application
> security testing suite, and the only solution to provide comprehensive
> remediation tasks at every level of the application. Change the way
> you
> think about application security testing - See for yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx?
> id=701300000007kaF
> ----------------------------------------------------------------------
> ----
>
>
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]