Re: Secure Yahoo logins

From: Chris Caydes (chris_caydes@yahoo.com)
Date: 08/28/02


Date: Wed, 28 Aug 2002 09:53:18 -0700 (PDT)
From: Chris Caydes <chris_caydes@yahoo.com>
To: vuln-dev@securityfocus.com

Well, Alan seems to have the same kind of information
as me on this...
If it is confirmed that the newer versions of the
Yahoo Messenger protocol do not transmit the password
in plain text, then users should all upgrade their
Messenger and use the ymsg10 or ymsg9 protocol. This
should probably answer Jeremy's concerns.
Even then, it does not change a thing for the security
of the data transmitted after login, including screen
name, aliases, buddy list, and messages, but at least
the newer versions of Yahoo seem at a same level of
(in)security as the other major IM programs.

As far as I am concerned, I am not confident in
letting people use IM programs in a corporate
environment.
I would much more confident with a corporate IM system
(with an internal IM server), that would eventually
include a gateway to external servers (Yahoo, MSN,
etc.) The architecture of Instant Messaging services
in a corporate environment would then be similar to
the architecture of e-mail : an internal e-mail server
with user accounts, and an e-mail gateway to the
Internet. This sounds much better than deploying POP3
clients and giving everyone in the company a Yahoo
Mail account, doesn't it ?
I have heard of a IM server for enterprises : "Akonix
L7". Has anyone successfully deployed this product ?
Any interesting experiences to share ?

Regards
Chris

>
>> A couple things - one, yahoo DOES send the
>> password in plain text, you just have to capture
>> it at the right time,
>
> That aint true the last time i was messing with
> yahoo protocols i learned alot for them there
> main ones are called ycht and ymsg and depending
> on what protocol you use when logging in it will
> then depend how the password is sent. On the
> ycht protocol your password will be sent in
> clear text in the login string i here there is
> plans for yahoo to stop using this protocol but
> ymsg it is alot more secure at first ymsg wasn't
> to great and it had problems where people could
> authenticate there selfs as any user without
> there password for a good txt on ymsg9 you
> should read
> http://www.venkydude.com/articles/yahoo.htm
> yahoo is now at ymsg10 but it ant much changes
> from 9.
> Regards
> Alan

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com



Relevant Pages

  • Cannot send or receive emails using Yahoo Plus Pop
    ... I have tried all suggestions and advice including going on Yahoo to obtain ... Your server has unexpectedly terminated the connection. ... Subject 'test', Account: 'Yahoo', Server: ... Account: 'Yahoo', Server: 'plus.pop.mail.yahoo.com', Protocol: ...
    (microsoft.public.windows.vista.mail)
  • RE: Uninstalling WMP on Vista
    ... I select the HTTP protocol in the list of protocols and choose ... The other issue (Yahoo! ... I tried downloading the newest version of WMP from the Microsoft web site. ... You cannot uninstall WMP from Vista. ...
    (microsoft.public.windowsmedia.player)
  • Re: ipfw pipe show ... help with output is needed, please.
    ... protocol, and showing a tcp port number... ... Everyone is raving about the all-new Yahoo! ...
    (freebsd-net)
  • RE: FIXED -- Protocol Transport Error
    ... wonder if that is something related to having installed Yahoo Jukebox ... specified protocol is not supported...try using a different transport ... Under the Network tab there's a section called "Streaming proxy settings." ...
    (microsoft.public.windowsmedia.player)
  • Re: Sending email
    ... Are you a Yahoo Plus subscriber? ... Subject 'Petfinder.com Pet Inquiry: Connie ', Account: 'Yahoo', Server: ... Account: 'Yahoo', Server: 'plus.pop.mail.yahoo.com', Protocol: POP3, Server ...
    (microsoft.public.windows.vista.mail)