Skip to main content
banner image
venafi logo

Yahoo! Data Breach and Weak Cryptographic Controls

Yahoo! Data Breach and Weak Cryptographic Controls

yahoo breach
September 25, 2016 | Shelley Boose

After the Yahoo! breach news last week, the Venafi Labs team decided to do a little digging into the cryptographic posture of external Yahoo! website. They leveraged the Venafi TrustNet global database of certificate intelligence for this research

Alex Kaplunov, vice president of engineering for Venafi, explains:

“In our experience major breaches, such as the one suffered by Yahoo!, are often accompanied by relatively weak cryptographic controls. To confirm our suspicion, we took an in-depth look at externally facing Yahoo! web properties and the details of how these sites use cryptography. We were not surprised to find the encryption practices on these properties to be relatively weak. This is not surprising. In our experience most enterprises, even global brands with deep cyber security investments, have weak cryptographic controls.”

Here’s what the Venafi Labs team of cryptographic researchers found:

  • 27% of the certificates on external Yahoo! websites have not been reissued since January, 2015. Replacing certificates after a breach is a critical mitigation practice; unless certificates are replaced, breached organizations cannot be certain that attackers do not have ongoing access to encrypted communications.
  • Only 2.5% of the 519 certificates deployed have been issued within the last 90 days, so it’s likely that Yahoo! does not have the ability to find and replace digital certificates quickly. Unfortunately, this is a very common problem, even in very large organizations with a significant online presence.
  • Venafi Labs data includes a surprising number of Yahoo! digital certificates that use MD5, a cryptographic hashing function that can be reversed with brute force attacks. MD5 also suffers from many serious, well documented vulnerabilities. For example, Flame, a family of malware used for targeted espionage by nation states, exploited an MD5 vulnerability.
  • All of the MD5 certificates in use by Yahoo! today and many of the other certificates Venafi Labs evaluated are self-issued. One current MD5 certificate uses wildcards (* and has an expiration date of 5 years. Certificates with long expirations dates, those that are self-issued and those that use wild cards are all symptoms of weak cryptographic control.
  • 41% of the external Yahoo! certificates discovered by Venafi use SHA-1, a hashing algorithm that is no longer considered secure against well-funded opponents. The major browser vendors have stated that they will stop accepting SHA-1 certificates in January of 2017.

Hari Nair, director of product management and cryptographic researcher for Venafi, put this data in context:

“Any one of these cryptographic issues would leave an organization extremely vulnerable to attacks on encrypted communication and authentication. Collectively, they pose serious questions about whether Yahoo! has the visibility and technology necessary to protect encrypted communications and ensure its customers privacy. Our team has been working on a major research project that led us to believe that there is usually a high degree of correlation between weak cryptographic controls and overall cybersecurity posture.”

Like this blog? We think you will love this.
Featured Blog

How to Remediate Keys and Certificates After a Data Breach

The Solution

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Shelley Boose
Shelley Boose

Shelley is Director of PR and Content Marketing at Venafi. In her own words, "I help companies translate complex technologies into engaging and compelling, digital stories."

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more