Yahoo is still vulnerable
The first thing you should do after getting your home or apartment robbed is, obviously, change the lock. Yahoo doesn’t seem to think so, as the same practices that were in place when it got breached are still being used according to a new report by Venafi.
What’s more, its practices have for years been known as unsecure. Venafi puts it simply: if you’re a Yahoo user, you should be worried about this. Here’s what it did (or, didn’t do): most importantly, 27 percent of certificates on external Yahoo sites haven’t been changed since January 2015.
"Replacing certificates after a breach is a critical mitigation practice; unless certificates are replaced breached organizations cannot be certain that attackers do not have ongoing access to encrypted communications", Venafi says. In the last 90 days, 519 certificates have been issued, which leads Venafi to conclude that Yahoo "does not have the ability to find and replace digital certificates", something it considers a common problem.
Also, Venafi says that a "surprising" number of Yahoo digital certificates use MD5, a cryptographic hashing function which is known to be vulnerable to brute force attacks. Almost half (41 percent) of external Yahoo certificates use a hashing algorithm deemed unsecure.
"In our experience major breaches, such as the one suffered by Yahoo!, are often accompanied by relatively weak cryptographic controls", says Alex Kaplunov, vice president of engineering for Venafi. "To confirm this assumption we took an in-depth look at external facing Yahoo! web properties and the details of how these sites are using cryptography. We found the encryption practices on these properties to be relatively weak. This is not surprising. In our experience most enterprises, even global brands with deep cyber security investments, have weak cryptographic controls".
Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.
Image Credit: Chaiyapop Bhumiwat / Shutterstock