Security Expert: Yahoo's Email Encryption Needs Work

itwbennett writes "On Tuesday, Yahoo delivered on a promise that it made in October to enable email encryption for everyone by default by January 8. While this is a great step, the company's HTTPS implementation appears to be inconsistent across servers and even technically insecure in some cases, according to Ivan Ristic, director of application security research at security firm Qualys. For example, some of Yahoo's HTTPS email servers use RC4 as the preferred cipher with most clients. 'RC4 is considered weak, which is why we advise that people either don't use it, or if they feel they must, use it as a last resort,' Ristic said."

Ya-what?

[hoifelot]

I don't understand how yahoo can be alive today. It's been way behind competitors for about a decade. This type of story fits right in with that picture. Okay, if they are still alive, I guess they must be making money. But I'm happy they are still around. Now and then I find that I need to reconnect with a site I haven't used for years, where I registered with my yahoo address... And in that case, it's nice that I'm able to receive a password reset link. But what's the attraction today, besides that?

Momentum

[sqrt(2)]

It was around at the right time to capture a large percentage of normies just getting online for the first time. These people don't like change. They don't really "like" computers in general. To them they're just tools; very frustrating and obtuse tools. Changing e-mail addresses is far more trouble than it is worth--we can barely get these people to give up Windows XP.

Re:Momentum

[Mashiki]

Lots of these people actually think their email account is tied to their computer. They think they would have to get a new computer to change email accounts.

I suppose that's possible. After all, people have long grown up with the address=home. In turn, computer = unique address, and they don't see a mechanism(to transfer-though not needed), for their new computer like they would with a house/apt/etc. Though I will say in the 18 years I've been working with computers I've never seen this.

Even good ciphers are mostly useless

[abies]

I wonder, in real world, how big percentage of the attacks are performed by man-in-the-middle (where strength of cypher matters). Between

1) 3 letter agencies just accessing content directly on Yahoo servers
2) Somebody hacking router between you and Yahoo (or evesdropping on physical line) and performing very costly cypher break
3) Having trojan/keylogger/whatever on your machine giving access to everything

How much point 2 is a problem compared to 1 and 3? People can write a lot about how usage of bad cipher will allow your mails to be cracked in 1 day instead of 5 billion years... but probably 99% of compromised emails are accessed through 1 or 3.

It is like with optimizing code. You could optimize hotspot where 99% of cpu time is spent, but it is hard. So instead you optimize all things around, making other 1% order of magnitudes faster and then forget than you cannot do anything about remaining 99%...

Re: Ya-what?

[SQLGuru]

The recent revamps to Bing / Outlook.com (nee Live.com nee Hotmail.com) have made it better than Yahoo (in my opinion --- and many tech blogs as well). But what Yahoo has going for it is that the high-inertia crowd has been using it for a while and won't budge from it. I know a lot of tech un-savvy baby boomers who won't leave Yahoo because they don't know how to transfer their information and don't want to lose their history. (It's the same crowd that still pays for AOL.)