Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: yahoo mail login security

from [Damon Leung] Network Security [Permanent Link]
Subject: Re: Re: yahoo mail login security
Date: Wed, 03 May 2006 10:12:14 +1000 
In Gmail, if you start with the url https://mail.google.com, then you stay in 
https even after authentication.

-----Original Message-----
From: Ace123 <flace9@gmail.com>
To: "ROB DIXON" <rdixon@workforcewv.org>
Date: Tue, 2 May 2006 11:30:32 +0530
Subject: Re: yahoo mail login security

1. Would it then be wise to send the md5 hash over ssl?

2. Yahoo is not alone in switching to http for email after
authenticating the user, both hotmail and gmail do the same. One
reason I can think of why they do this is, the various resources in
their pages come from different domains (possibly 3rd party) and they
can't ask for all of them to do SSL. Do you know of any other reasons?

3. The cookie names these guys use are very tricky, there are usually
many cookies and it is not clear why of them represents the session,
so that we can take that cookie, set it in our browser and check out
other's email. Ofcourse, it might be possible to set all the cookies
that we see there, but I have not tried that. Has anyone done any
research on what each of the cookies is used for, in
yahoo/hotmail/gmail?

Thanks!


On 5/2/06, ROB DIXON <rdixon@workforcewv.org> wrote:

exactly

Robert L. Dixon,  CHFI
State of West Virginia's
West Virginia Office of Technology
Infrastructure Applications
Netware/GroupWise Administrator
Telephone: (304)-558-5472 ex.4225
------------------------------------------
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke

"Matt Fisher" <mfisher@spidynamics.com>  >>>

Don't they revert back to HTTP after auth anyhow ?
Protect my credentials all you want, but if you give up my email on the
wire(less) I'm switching regardless.



-----Original Message-----
From: ROB DIXON [mailto:rdixon@workforcewv.org]
Sent: Monday, May 01, 2006 3:51 PM
To: flace9@gmail.com; vanderaj@greebo.net
Cc: webappsec@securityfocus.com
Subject: Re: yahoo mail login security

If you are capturing the form submission via MITM then would SSL not be
just as trivial via Cain and Able.\

Granted it would be obvious since the SSL cert would appear to be
invalid, but not everyone is that savy.

Robert L. Dixon,  CHFI
State of West Virginia's
West Virginia Office of Technology
Infrastructure Applications
Netware/GroupWise Administrator
Telephone: (304)-558-5472 ex.4225
------------------------------------------
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke

Andrew van der Stock <vanderaj@greebo.net>  >>>

Several reasons:

1. MD5 does protect the password... as long as it is salted
correctly. Unsalted MD5 hashes are trivially breakable using rainbow
attacks, and are unsuitable for most uses (despite heavy usage by
many programs in exactly this fashion).

2. Replay attacks on public networks. Capturing the form submission
(trivial without SSL) would allow an attacker to replay the
conversation and log on as the identity without any issues

3. MD5 is provably weak as a hash - see the work of Wang et al:

http://eprint.iacr.org/2004/199.pdf

4. Javascript on the client is not a trusted environment. Minimizing
the trust of security weak components is a good design goal.

5. SSL is cheap. A certificate costs less than $100 these days and
solves many of these issues.

Andrew



On 30/04/2006, at 5:55 PM, Ace123 wrote:


Clicking on "Why this is secure" link on the yahoo login page gives
this:

"Yahoo! now submits your ID and password securely via SSL (Secure
Sockets Layer) encryption. This means that your personal information
is more secure every time you sign in.

In the past, Yahoo! used a challenge-response mechanism to protect
passwords using MD5. Passwords were scrambled using a one-way hash, so
that they could not be converted to clear text."


What could be the reasons why yahoo changed their login security
mechanism?

----------------------------------------------------------------------



---
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web
application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way
you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?
id=701300000007kaF
----------------------------------------------------------------------



----






------------------------------------------------------------------------
-
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have
seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
------------------------------------------------------------------------
--





-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------





-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [WEB SECURITY] cookies a fundamental threat?, Brian Eaton
Next by Date:  RE: [WEB SECURITY] cookies a fundamental threat?, Martin O'Neal
Previous by Thread:  Re: yahoo mail login security, Sels, Roger
Next by Thread:  Re: Re: yahoo mail login security, Darren Bounds
Indexes:  [Date] [Thread] [Top] [All Lists]