Re: Secure Yahoo logins

[John Madden <maddenj () skynet ie>]

On (27/08/02 22:10), Jeremy didst pronounce:
>   Well, to do a test I fired up ethereal and captured a session of me logging into a new yahoo account. What kind of 
> suprised me is the password looks encrypted. My first guess was it was just base 64 mime encoded but that turned out 
> to be wrong. Does anyone have any idea on how they encrypt their passwords or have any tools that will try and crack 
> the passwords.

I remember trying that here using arpspoof and dsniff. It captured the
URL that was being used. From what I remember, the password was MD5
encrypted, and it said so in the URL. But, that said, there's no need to
decrypt the password. Just paste that URL into your browser and it'll
bring you directly into the persons yahoo email account.

>   My other question is if the passwords are encrypted why do they offer a secure login option? How does that increase 
> security, other than adding a brief ssl session.
I think I already covered this above -- because you don't need to know
the password to log into their email account, you only need the URL that
was sent.

-- 
Chat ya later,

John.
--
BOFH excuse #157: Incorrect time syncronization