Skip to main content
banner image
venafi logo

What 1 Billion Users Wish Yahoo Knew About Protecting Encryption

What 1 Billion Users Wish Yahoo Knew About Protecting Encryption

December 16, 2016 | Shelley Boose

It’s always hard to calculate the exact impact of a breach. But in the latest Yahoo breach there are a billion ways to measure loss of customer confidence. If that isn’t serious enough the breach could have measurable impact on the Verizon’s $4.8 billion acquisition plans for Yahoo. 

Venafi VP of security strategy, Kevin Bocek thinks it’s very likely that poorly protected encryption was used to exfiltrate Yahoo’s data because there were such massive amounts. “Yahoo has suffered two breaches that together impacted 1.5 billion users—it seems very likely that the data was encrypted during exfiltration and that’s how the attackers managed to move such a massive amount of data while staying under the radar of Yahoo security tools.” He continues, “It’s nearly impossible for any organization to detect unauthorized, encrypted traffic coming in or out of their network unless they have strong cryptography practices.”

In September, right after Yahoo disclosed their 2014 breach that allowed data from 500 million Yahoo users to be exfiltrated, Venafi Labs took an in-depth look at externally facing Yahoo web properties and the details of how these sites were using cryptography. As outlined in a previous blog, we found the encryption practices on these properties to be relatively weak.

Here’s what our cryptographic security researchers found:

  • We analyzed data from TrustNet, a global database of certificate intelligence, and found that 27% of the certificates on external Yahoo websites have not been reissued since January, 2015. Replacing certificates after a breach is a critical mitigation practice; unless certificates are replaced breached organizations cannot be certain that attackers do not have ongoing access to encrypted communications.
     
  • Only 2.5% of the 519 certificates deployed have been issued within the last 90 days, so it’s likely that Yahoo does not have the ability to find and replace digital certificates quickly. Unfortunately, this is a very common problem, even in very large organizations with a significant online presence.
     
  • Venafi Labs data includes a surprising number of Yahoo digital certificates that use MD5, a cryptographic hashing function that can be reversed with brute force attacks. MD5 also suffers from many serious, well documented vulnerabilities. For example, Flame, a family of malware used for targeted espionage by nation states, exploited an MD5 vulnerability.
     
  • All the MD5 certificates in use by Yahoo! today and many of the other certificates Venafi Labs evaluated are self-issued. One current MD5 certificate uses wildcards (*.yahoo.com) and has an expiration date of 5 years. Certificates with long expirations dates, those that are self-issued and those that use wild cards are all symptoms of weak cryptographic control.
     
  • 41% of the external Yahoo certificates in the TrustNet data set use SHA-1, a hashing algorithm that is no longer considered secure against well-funded opponents. The major browser vendors have stated that they will stop accepting SHA-1 certificates in the first few months of 2017.

It’s also entirely possible that the attackers that perpetrated the 2013 breach retained access to the Yahoo network and attacked again in 2014. Our research indicates that it would be very difficult for Yahoo to detect abuse of their assets that secure encryption. This doesn’t surprise Bocek, who sees this as a relatively common problem. “We find many large organizations with deep investments in security technology don’t have adequate visibility or controls around the encryption they rely on to protect critical data.”

How well have you secured your encryption assets?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Spectre and Meltdown vulnerabilties

How to Prevent Meltdown and Spectre from Compromising Machine Identities

generic_blog_banner_image

CISO Viewpoint: How Important is Effective Key and Certificate Management to Cyber Security?

21% of websites use SHA-1

21% of Websites Still Use SHA-1. Don’t They Know It’s Broken?

About the author

Shelley Boose
Shelley Boose

Shelley Boose writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat