March 16, 2006

Yahoo Gains My Respect, Loses It

Some of you may have noticed by now that Yahoo has been giving a secure SSL login by default for a few months. I am a big believer in NOT sending my password in the clear, and it bugged the crap out of me that the "Secure" option was an additional click away, a bone thrown to us obsessive nerds. So I was glad when "secure" became the default (which it was for Gmail from the beginning, I think).

Today, when I went to log in to Yahoo[u.p.o.] Mail, there was a link below the password field that said, "Why this is secure". Here's what it said behind that link:


Signing In and Your Security

Yahoo! now submits your ID and password securely via SSL (Secure Sockets Layer) encryption. This means that your personal information is more secure every time you sign in.

In the past, Yahoo! used a challenge-response mechanism to protect passwords using MD5. Passwords were scrambled using a one-way hash, so that they could not be converted to clear text.

Protecting your privacy and information online is extremely important to Yahoo!. We are constantly evaluating our security technologies to ensure we are taking reasonable steps to protect your personal information. As industry standards evolve, we evaluate them for reliability and scalability prior to implementation. As a result, Yahoo! is now able to offer reliable SSL submission of ID and password to anyone with an SSL-enabled browser.

Yahoo! takes your security seriously. For more information about how to protect yourself online, see the Yahoo! Security Center.


So on the one hand, I am rather impressed and pleased that they had been encrypting it with MD5, presumably with JavaScript, before sending it over the wire (but it sure would have been nice to TELL us!). On the other hand... are the above paragraphs the biggest weasel words you ever read, or what? They mention what they used to do, and what they are doing now, and the reason they've changed from one to the other is -- let's see, where is it -- ah, here we go. Wait, no, that's not it... er.... I guess you sort of have to take the last two sentences in the last paragraph together: "As industry standards evolve, we evaluate them for reliability and scalability prior to implementation. As a result, Yahoo! is now able to offer reliable SSL submission of ID and password to anyone with an SSL-enabled browser." "As a result?" Result of what? The ability to offer SSL submission of info is a result of the fact that you evaluate standards? How come Yahoo has only just acquired this ability, when other Web sites have been doing that for a decade? This wasn't really supposed to a jab at their technical skills, but this opaqueness just leaves all kinds of things open to interpretation.

Posted by Bob at March 16, 2006 02:17 AM | Monthly Archive
Comments
Post a comment
















Hosted by www.Geocities.ws

1