Loading ...
Sorry, an error occurred while loading the content.

New HTTPS hijacking method and how to avoid the mess

Expand Messages
  • too_much green_tea
    Here s SANS summary (http://isc.sans.org/diary.html?storyid=5908) I don t believe that summary gives the method enough credit. If anyone s curious, watching
    Message 1 of 5 , Feb 26, 2009
    View Source
    • 0 Attachment
      Here's SANS' summary (http://isc.sans.org/diary.html?storyid=5908)

      I don't believe that summary gives the method enough credit. If anyone's curious, watching the original presentation is a must (link included on SANS' page.)

      How exactly is this impacting us? Well for most of us, we either enter http://mail.yahoo.com then wait for the redirect, or through the main page (http://www.yahoo.com or other variants) then go from there. With this disclosed hijacking method, those logins can no longer be considered as 100% safe (we'll need to examine the urlbar carefully every time.)

      I'm guessing one way to avoid the annoyance is to use https://login.yahoo.com/config/login_verify2?&.src=ym if we want to sign into YMail directly, or use https://login.yahoo.com to log into My Yahoo! first then go from there.

    • John Desmond
      I ll beat that drum again, but it always falls on deaf ears. Why can t Yahoo mail just use https?? My Gmail account does. That is the only email account I
      Message 2 of 5 , Feb 27, 2009
      View Source
      • 0 Attachment
        I'll beat that drum again, but it always falls on deaf ears.

        Why can't Yahoo mail just use https??  My Gmail account does.  That is the only email account I use for banking, etc.  I just do not want that stuff floating out there.  I look at Yahoo mail as unsecured and use it for hobby related items not personal business.  It seems like it should be easy for them to fix that.


        John


        From: too_much green_tea <toomuchgreentea@...>
        To: Y-Mail@yahoogroups.com
        Sent: Thursday, February 26, 2009 9:47:04 PM
        Subject: [Y-Mail] New HTTPS hijacking method and how to avoid the mess

        Here's SANS' summary (http://isc.sans. org/diary. html?storyid= 5908)

        I don't believe that summary gives the method enough credit. If anyone's curious, watching the original presentation is a must (link included on SANS' page.)

        How exactly is this impacting us? Well for most of us, we either enter http://mail. yahoo.com then wait for the redirect, or through the main page (http://www.yahoo. com or other variants) then go from there. With this disclosed hijacking method, those logins can no longer be considered as 100% safe (we'll need to examine the urlbar carefully every time.)

        I'm guessing one way to avoid the annoyance is to use https://login. yahoo.com/ config/login_ verify2?&.src=ym if we want to sign into YMail directly, or use https://login. yahoo.com to log into My Yahoo! first then go from there.


      • too_much green_tea
        Not to say full https won t be a good thing ... cause it is, but Gmail doesn t have any advantage over YMail on this one. In fact, taking the current market
        Message 3 of 5 , Feb 27, 2009
        View Source
        • 0 Attachment
          Not to say full https won't be a good thing ... 'cause it is, but Gmail doesn't have any advantage over YMail on this one.

          In fact, taking the current market share into account, the percentage of Gmail passwords getting intercepted over that 24hr period was much higher than YMail. Complacency and carelessness seemed to be the bigger problem in these cases.

          As for https YMail, there's always https://us.m.yahoo.com ...



          From: John Desmond <k0tg@...>
          To: Y-Mail@yahoogroups.com
          Sent: Friday, February 27, 2009 10:03:52 AM
          Subject: Re: [Y-Mail] New HTTPS hijacking method and how to avoid the mess

          I'll beat that drum again, but it always falls on deaf ears.

          Why can't Yahoo mail just use https??  My Gmail account does.  That is the only email account I use for banking, etc.  I just do not want that stuff floating out there.  I look at Yahoo mail as unsecured and use it for hobby related items not personal business.  It seems like it should be easy for them to fix that.


          John


          From: too_much green_tea <toomuchgreentea@...>
          To: Y-Mail@yahoogroups.com
          Sent: Thursday, February 26, 2009 9:47:04 PM
          Subject: [Y-Mail] New HTTPS hijacking method and how to avoid the mess

          Here's SANS' summary (http://isc.sans. org/diary. html?storyid= 5908)

          I don't believe that summary gives the method enough credit. If anyone's curious, watching the original presentation is a must (link included on SANS' page.)

          How exactly is this impacting us? Well for most of us, we either enter http://mail. yahoo.com then wait for the redirect, or through the main page (http://www.yahoo. com or other variants) then go from there. With this disclosed hijacking method, those logins can no longer be considered as 100% safe (we'll need to examine the urlbar carefully every time.)

          I'm guessing one way to avoid the annoyance is to use https://login. yahoo.com/ config/login_ verify2?&.src=ym if we want to sign into YMail directly, or use https://login. yahoo.com to log into My Yahoo! first then go from there.





        • Lloyd Haskins
          Okay, what does going to https://us.m.yahoo.com do? All I saw was a few pages with hardly any styles. If I couldn t get Yahoo! Mail encrypted on the road or
          Message 4 of 5 , Mar 1, 2009
          View Source
          • 0 Attachment
            Okay, what does going to https://us.m.yahoo.com do? All I saw was a few
            pages with hardly any styles.

            If I couldn't get Yahoo! Mail encrypted on the road or in a Starbucks,
            I'd go with an encrypted web proxy.


            --- In Y-Mail@yahoogroups.com, too_much green_tea <toomuchgreentea@...>
            wrote:
            >
            > Not to say full https won't be a good thing ... 'cause it is, but
            Gmail doesn't have any advantage over YMail on this one.
            >
            > In fact, taking the current market share into account, the percentage
            > of Gmail passwords getting intercepted over that 24hr period was much
            > higher than YMail. Complacency and carelessness seemed to be the
            bigger
            > problem in these cases.
            >
            > As for https YMail, there's always https://us.m.yahoo.com ...
          • too_much green_tea
            That s the mobile portal for Yahoo!, and the only place I knew of that uses SSL for almost everything ... ________________________________ From: Lloyd Haskins
            Message 5 of 5 , Mar 1, 2009
            View Source
            • 0 Attachment
              That's the mobile portal for Yahoo!, and the only place I knew of that uses SSL for almost everything ...


              From: Lloyd Haskins <lmhaskins@...>
              To: Y-Mail@yahoogroups.com
              Sent: Sunday, March 1, 2009 9:46:35 PM
              Subject: [Y-Mail] Re: New HTTPS hijacking method and how to avoid the mess

              Okay, what does going to https://us.m.yahoo.com do?  All I saw was a few
              pages with hardly any styles.

              If I couldn't get Yahoo! Mail encrypted on the road or in a Starbucks,
              I'd go with an encrypted web proxy.


              --- In Y-Mail@yahoogroups.com, too_much green_tea <toomuchgreentea@...>
              wrote:
              >
              > Not to say full https won't be a good thing ... 'cause it is, but
              Gmail doesn't have any advantage over YMail on this one.
              >
              > In fact, taking the current market share into account, the percentage
              > of Gmail passwords getting intercepted over that 24hr period was much
              > higher than YMail. Complacency and carelessness seemed to be the
              bigger
              > problem in these cases.
              >
              > As for https YMail, there's always
              target="_blank">https://us.m.yahoo.com ...



            Your message has been successfully submitted and would be delivered to recipients shortly.