Re: Secure Yahoo logins
From: Chris Caydes (chris_caydes@yahoo.com)Date: 08/28/02
- Previous message: Steve Bremer: "Re: Secure Yahoo logins"
- Maybe in reply to: Jeremy: "Secure Yahoo logins"
- Next in thread: Kayne Ian (Softlab): "RE: Secure Yahoo logins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 Aug 2002 09:53:18 -0700 (PDT) From: Chris Caydes <chris_caydes@yahoo.com> To: vuln-dev@securityfocus.com
Well, Alan seems to have the same kind of information
as me on this...
If it is confirmed that the newer versions of the
Yahoo Messenger protocol do not transmit the password
in plain text, then users should all upgrade their
Messenger and use the ymsg10 or ymsg9 protocol. This
should probably answer Jeremy's concerns.
Even then, it does not change a thing for the security
of the data transmitted after login, including screen
name, aliases, buddy list, and messages, but at least
the newer versions of Yahoo seem at a same level of
(in)security as the other major IM programs.
As far as I am concerned, I am not confident in
letting people use IM programs in a corporate
environment.
I would much more confident with a corporate IM system
(with an internal IM server), that would eventually
include a gateway to external servers (Yahoo, MSN,
etc.) The architecture of Instant Messaging services
in a corporate environment would then be similar to
the architecture of e-mail : an internal e-mail server
with user accounts, and an e-mail gateway to the
Internet. This sounds much better than deploying POP3
clients and giving everyone in the company a Yahoo
Mail account, doesn't it ?
I have heard of a IM server for enterprises : "Akonix
L7". Has anyone successfully deployed this product ?
Any interesting experiences to share ?
Regards
Chris
>
>> A couple things - one, yahoo DOES send the
>> password in plain text, you just have to capture
>> it at the right time,
>
> That aint true the last time i was messing with
> yahoo protocols i learned alot for them there
> main ones are called ycht and ymsg and depending
> on what protocol you use when logging in it will
> then depend how the password is sent. On the
> ycht protocol your password will be sent in
> clear text in the login string i here there is
> plans for yahoo to stop using this protocol but
> ymsg it is alot more secure at first ymsg wasn't
> to great and it had problems where people could
> authenticate there selfs as any user without
> there password for a good txt on ymsg9 you
> should read
> http://www.venkydude.com/articles/yahoo.htm
> yahoo is now at ymsg10 but it ant much changes
> from 9.
> Regards
> Alan
__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com
- Previous message: Steve Bremer: "Re: Secure Yahoo logins"
- Maybe in reply to: Jeremy: "Secure Yahoo logins"
- Next in thread: Kayne Ian (Softlab): "RE: Secure Yahoo logins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
