Vulnerability Development mailing list archives
Re: Secure Yahoo logins
From: Chris Caydes <chris_caydes () yahoo com>
Date: Wed, 28 Aug 2002 09:53:18 -0700 (PDT)
Well, Alan seems to have the same kind of information as me on this... If it is confirmed that the newer versions of the Yahoo Messenger protocol do not transmit the password in plain text, then users should all upgrade their Messenger and use the ymsg10 or ymsg9 protocol. This should probably answer Jeremy's concerns. Even then, it does not change a thing for the security of the data transmitted after login, including screen name, aliases, buddy list, and messages, but at least the newer versions of Yahoo seem at a same level of (in)security as the other major IM programs. As far as I am concerned, I am not confident in letting people use IM programs in a corporate environment. I would much more confident with a corporate IM system (with an internal IM server), that would eventually include a gateway to external servers (Yahoo, MSN, etc.) The architecture of Instant Messaging services in a corporate environment would then be similar to the architecture of e-mail : an internal e-mail server with user accounts, and an e-mail gateway to the Internet. This sounds much better than deploying POP3 clients and giving everyone in the company a Yahoo Mail account, doesn't it ? I have heard of a IM server for enterprises : "Akonix L7". Has anyone successfully deployed this product ? Any interesting experiences to share ? Regards Chris
A couple things - one, yahoo DOES send the password in plain text, you just have to capture it at the right time,That aint true the last time i was messing with yahoo protocols i learned alot for them there main ones are called ycht and ymsg and depending on what protocol you use when logging in it will then depend how the password is sent. On the ycht protocol your password will be sent in clear text in the login string i here there is plans for yahoo to stop using this protocol but ymsg it is alot more secure at first ymsg wasn't to great and it had problems where people could authenticate there selfs as any user without there password for a good txt on ymsg9 you should read http://www.venkydude.com/articles/yahoo.htm yahoo is now at ymsg10 but it ant much changes from 9. Regards Alan
__________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com
Current thread:
- Re: Secure Yahoo logins, (continued)
- Re: Secure Yahoo logins David Schwartz (Aug 27)
- Re: Secure Yahoo logins John Madden (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 28)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 27)
- Re: Secure Yahoo logins David Thiel (Aug 27)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 28)
- Re: Secure Yahoo logins David Thiel (Aug 28)
- Re: Secure Yahoo logins Steve Bremer (Aug 28)
- Re: Secure Yahoo logins David Thiel (Aug 27)
- Re: Secure Yahoo logins Alan McCaig (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- RE: Secure Yahoo logins Kayne Ian (Softlab) (Aug 29)
- Re: Secure Yahoo logins Muhammad Faisal Rauf Danka (Aug 29)