Re: Secure Yahoo logins

[Chris Caydes <chris_caydes () yahoo com>]

Hello,

I keep hearing and reading about Yahoo Messenger as
the least secure IM software, because the passwords
are transmitted in plaintext.
Yet Yahoo has changed the login process in their
Messenger several months ago, and I don't know if the
critics about Y!Msg transmitting clear text passwords
applies to the current versions of the product, or
only the old ones.
Or do they apply only if one tries to connect to Yahoo
through an HTTP proxy ? or a SOCKS proxy ?
I did some quick testing using "direct" connections
(no proxies).
I sniffed my own Yahoo login with both Ethereal and
Ettercap, and couldn't collect the password. The login
name however, as well as all the aliases and the
entire buddy list, were sniffed as they are
transmitted in clear text. I could easily read all
that information in Ethereal. Both Ethereal and
Ettercap claim to decode the Yahoo protocol, but
neither actually did. What I saw were "raw TCP
packets" :-)
I did the same test with ICQ and I collected the
password easily using Ettercap.

I believe Yahoo has made some changes in their IM
protocol a few months ago, and the sniffers only
decode the previous version of the protocol. 
I came across the following document on the web, which
explains some of the Yahoo Protocol.
http://www.venkydude.com/articles/yahoo.htm
 
Regards
Chris

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com