Yahoo! - "Wish list"

Yahoo! announced that it will open up email accounts that are inactive since over a year for registration to anyone that applies. Yahoo! is explaining this as a service to give everyone the chance to an Yahoo ID of their choice.

As a lot of organisations and in particular web applications use e-mail addresses as part of authentication and identity management there are a lot of things that can expose Yahoo! e-mail users to potential risks should their de-activated e-mail address be claimed by somebody with bad intentions.

One plain obvious scenario to model against is that e-mail addresses that are publicly known (or can be found out individually) are subject to "theft" by being claimed by third parties. These can then proceed to reset the passwords of their choice.

Since their announcement Yahoo! is trying to retrofit some sort of security control into their process by trying to get the biggest players (Facebook) to implement a new e-mail header for password verification. For that reason Yahoo! pushed an IETF Draft called "Require-Recipient-Valid-Since Header Field".... mid July 2013.

It is not a Question of "IF"

This is merely an attempt at reducing the amount possible damages that will arise by the recently announced move of Yahoo!. There are so many reasons that e-mail addresses can be let dormant but remain important to the owner, especially if used to registration purposes.

It is also not a theoretical matter, password reset functionality is known to be a weak link and stealing identities and stealing e-mail address as the first hop is common. 

It is not a question of whether this new Yahoo! move will be abused, it will be.

A story from the Past


I uploaded a new version of "Harden SSL/TLS"

Changes

  • Added Windows 8 support
  • Added Windows Server 2012 support
  • Resolved an issue around P521 additions

About Harden SSL/TLS 

Harden SSL/TLS” allows to configure and harden the SSL/TLS settings of Windows System, ranging from Windows XP to Windows 8 and from Windows 2003 to Windows Server 2012.

Harden TLS allows to remotely set SSL policies allowing or denying certain ciphers/hashes or complete ciphersuites.

The foundation of this tool was the investigation and reverse engineering of the ciphers provided by the various SCHANNEL versions by G-SEC and presented in the paper “SSL/TLS Compatibility Report”.

This tool specific allows setting policies with regards to what ciphers and protocols are available to applications that use SCHANNEL crypto interface. A lot of windows applications do use this interface, for instance Internet Explorer and Apple Safari are a few of these.


Interesting Reads - Week 12 / 2013


Food for thought 



I have updated my little TLS/SSL Scanner called "SSL Audit" to version 0.8. I tweaked it slightly but the tool is still based on it's own rudimentary SSL Engine and hence is not limited by the number of ciphersuites and protocols available to OpenSSL or NSS.

By the way I am still a little bit proud of the SSL Stack fingerprinting feature. I haven't updated it recently but it still seems to work out nicely. Try it out and let me know, especially if you have access to less known ssl stacks.

Changes

  • Added support for TLS 1.2 CAMELIA ciphersuites;
  • Speed up SSLv2 enumeration;
  • Added the complete range of ARIA ciphersuites (http://tools.ietf.org/html/draft-nsri-tls-aria-00)
SSL Audit v.08

Download