Critics Cut Deep on Yahoo Mail Encryption Rollout

Yahoo has turned on HTTPS by default for its web-based email service, but the deployment is inconsistent across the board and experts are critical of its use of weak standards and the lack of Perfect Forward Secrecy and HSTS.

Yahoo, as promised, rolled out HTTPs by default this week for its email service, bringing it in line with other Internet companies that have been securing users’ communication for years.

But if Yahoo expected applause from security experts, it can think again. The response from those well-versed in crypto has been as half-hearted as those experts perceive Yahoo’s efforts to be.

“Yahoo’s announcement that it has enabled HTTPS encryption for all Yahoo Mail users is not only too little too late, but also quite troubling,” said Metasploit senior engineering manager Tod Beardsley.

Specifically, Beardsley and others are troubled by Yahoo’s lack of support for Perfect Forward Secrecy, a technology that ensures sessions are secured by randomly generated ephemeral public keys, a strategy that prevents an attacker from later using a stolen private key to decrypt recorded encrypted sessions. Perfect Forward Secrecy is enabled on major sites and services such as Twitter, Facebook and Google, which use the Elliptical Curve Diffie-Hellman Exchange, Beardsley said, which generates a one-time key making it difficult for an attacker to later use private keys to decrypt the data.

“For a website that deals with a lot of personal information, I would say [forward secrecy] is essential,” said Ivan Ristic, director of application research at security company Qualys. “A powerful adversary could collect encrypted network traffic, wait patiently and then obtain the server private key in some way (either with a warrant, illegally, or by breaking the key eventually). Once the key is obtained, all past traffic can be decrypted.

“With Forward Secrecy, each connection is separately encrypted, requiring each connection to be individually broken (which is many, many, many times harder than breaking a single key),” Ristic said.

Ristic did a deep dive into Yahoo’s encryption implementation, and told Threatpost the company uses different SSL configurations on many of its sites, including, log-in pages and mail pages. Weak crypto implementations plague Yahoo across the board, from its use of the broken RC4 algorithm in some spots, to the use of TLS compression, which was determined to be insecure in 2012, Ristic said.

“They use RC4 with all browsers, except with IE11 (but only because this browser does not support RC4 by default),” Ristic said. “This is an unfortunate choice, given that RC4 was broken in early 2013 and that non-broken ciphers are available. The risk from RC4 exploitation is low, however. Still, they should have used TLS 1.2 suites, and ideally the authenticated GCM suites.”

Ristic shared data from his analysis of four Yahoo mail servers and found that the majority did not have TLS 1.2 enabled, and none had HTTP Strict Transport Security enabled, a feature he said ensures sessions are encrypted even if users are lured to an HTTP site.

“HSTS is difficult to deploy if your architecture is complex, and for that reason Yahoo might need significant time to deploy it (and consistently),” said Ristic. Yahoo has not made its encryption road map public, and it’s unknown whether it plans to deploy HSTS or Forward Secrecy.

“As for deployment challenges, I am sure there are many. With exception of HSTS (which might require deep software changes), all these other issues are easy to fix on a standalone server (support TLS 1.2, disable compression, enable Forward Secrecy, etc),” Ristic said. “The challenge is rolling out the changes across your entire infrastructure. I can’t speak in detail, because I am not familiar with their infrastructure.”

Good timing is also not on Yahoo’s side, considering that it is still recovering from an attack on its European sites. Hackers had infiltrated Yahoo’s third-party ad service, which was not only serving malicious ads that redirected millions of visitors to hacker sites hosting financial malware, but were also turning those machines into bots for Bitcoin mining. The BBC reported that attackers were using the combined computing power of those machines to generate the cryptocurrency.

That’s a relatively minor infraction compared to the perceived minimal crypto deployed by Yahoo. Encryption is heralded as the best current defense against government surveillance, and SSL should be considered a minimum standard, Seth Schoen, senior staff technologist at the Electronic Frontier Foundation, told Threatpost in October. It was then when Yahoo announced it was finally catching up to the rest of the pack and turning on SSL by default for Yahoo mail.

Christopher Soghoian, principal technologist and senior policy analyst with the American Civil Liberties Union, slammed Yahoo’s delay in October because of the relative simplicity with which hackers or governments can conduct surveillance on Web traffic, including email, without encryption.

“The threat is real,” Soghoian said. “Whether the entity monitoring is the NSA or an identity thief at Starbucks, it has long been known that tools exist to allow interception.”

Suggested articles