Thread: Yahoo's sign-in seal technology

  1. #1
    Registered User
    Join Date
    May 2006
    Posts
    1,579

    Yahoo's sign-in seal technology

    Hello everyone,


    Yahoo is using a technology called sign-in seal to protect password stolen. Check,

    http://mail.yahoo.com

    http://help.yahoo.com/l/us/yahoo/edi...y/edit-39.html

    Does any one know what it is and whether there are any documents/SDK supporting that feature? I have Googled, but only can find advertisements ...


    thanks in advance,
    George

  2. #2
    Registered User major_small's Avatar
    Join Date
    May 2003
    Posts
    2,787
    that... doesn't look very secure at all...

    just build your own version... let them save something on their computer, and have a way to read it from their computer and display it back to them from your server...

    dont' put it in a cookie though or it'll break security.

    basically, this is how it works afaik:
    1. you create an image on your computer
    2. you tell their servers where to find that image on your computer
    3. when you go to log in, their servers grab that image off your computer and show it to you


    it's working kinda like an AIM profile message... if you change computers, your profile changes because it's saved locally on your computer and not their central servers. a phishing site wouldn't know where to find the file you told yahoo to find, so they couldn't spoof the site as easily.

    this is to try to prevent phising... which is when somebody kites you to a fake site and steals your information... it doesn't prevent people from stealing passwords from their servers.

    <rant> IMO, if you're dumb enough to get your password stolen like that, you deserved it... there are too many dumb people in america, and it's because we let them get away with it... for example LD50... why? if you drink that much poison to where you need to know what the LD50 is, you need to die anyway... and the people that even know what LD50 is aren't stupid enough to drink the stuff in the first place... sooo many dead animals... for what? </rant>
    Last edited by major_small; 09-18-2006 at 01:41 PM.
    Join is in our Unofficial Cprog IRC channel
    Server: irc.phoenixradio.org
    Channel: #Tech


    Team Cprog Folding@Home: Team #43476
    Download it Here
    Detailed Stats Here
    More Detailed Stats
    52 Members so far, are YOU a member?
    Current team score: 1223226 (ranked 374 of 45152)

    The CBoard team is doing better than 99.16% of the other teams
    Top 5 Members: Xterria(518175), pianorain(118517), Bennet(64957), JaWiB(55610), alphaoide(44374)

    Last Updated on: Wed, 30 Aug, 2006 @ 2:30 PM EDT

  3. #3
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    This came up on my login as well and I think the whole concept is stupid.

  4. #4
    Registered User
    Join Date
    May 2006
    Posts
    1,579
    Thank you major_small,


    Quote Originally Posted by major_small
    that... doesn't look very secure at all...

    just build your own version... let them save something on their computer, and have a way to read it from their computer and display it back to them from your server...

    dont' put it in a cookie though or it'll break security.

    basically, this is how it works afaik:
    1. you create an image on your computer
    2. you tell their servers where to find that image on your computer
    3. when you go to log in, their servers grab that image off your computer and show it to you


    it's working kinda like an AIM profile message... if you change computers, your profile changes because it's saved locally on your computer and not their central servers. a phishing site wouldn't know where to find the file you told yahoo to find, so they couldn't spoof the site as easily.

    this is to try to prevent phising... which is when somebody kites you to a fake site and steals your information... it doesn't prevent people from stealing passwords from their servers.

    <rant> IMO, if you're dumb enough to get your password stolen like that, you deserved it... there are too many dumb people in america, and it's because we let them get away with it... for example LD50... why? if you drink that much poison to where you need to know what the LD50 is, you need to die anyway... and the people that even know what LD50 is aren't stupid enough to drink the stuff in the first place... sooo many dead animals... for what? </rant>
    I am wondering whether the picture is encrypted on my local computer and only the *trusted* server can decrypt it and display it correctly?

    Because, I think if the picture is not encrypted, and the fake site still have changes to find it from my local computer, just by searching some default path or the pate related with the real site name.


    regards,
    George

  5. #5
    Registered User
    Join Date
    May 2006
    Posts
    1,579
    Hi Bubba,


    Quote Originally Posted by Bubba
    This came up on my login as well and I think the whole concept is stupid.
    Why do you think this technology is stupid? Any reasons?


    regards,
    George

  6. #6
    Registered User major_small's Avatar
    Join Date
    May 2003
    Posts
    2,787
    Quote Originally Posted by George2
    I am wondering whether the picture is encrypted on my local computer and only the *trusted* server can decrypt it and display it correctly?

    Because, I think if the picture is not encrypted, and the fake site still have changes to find it from my local computer, just by searching some default path or the pate related with the real site name.


    regards,
    George
    I doubt it is... it's stupid because it's basically a security through obsucrity type of thing... and like I said... IMO it's a waste... it's only protecting against phising, and makes it harder to get into your account on a public computer...
    Join is in our Unofficial Cprog IRC channel
    Server: irc.phoenixradio.org
    Channel: #Tech


    Team Cprog Folding@Home: Team #43476
    Download it Here
    Detailed Stats Here
    More Detailed Stats
    52 Members so far, are YOU a member?
    Current team score: 1223226 (ranked 374 of 45152)

    The CBoard team is doing better than 99.16% of the other teams
    Top 5 Members: Xterria(518175), pianorain(118517), Bennet(64957), JaWiB(55610), alphaoide(44374)

    Last Updated on: Wed, 30 Aug, 2006 @ 2:30 PM EDT

  7. #7
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    It's stupid b/c there is a simple way for your password to never get stolen.
    Don't give it to anyone

    If people are dumb enough to hand out their password in an email you think they are going to understand how to use this seal trash? And besides people will find a way around it, too.

    Sorry, but you can't cure stupid no matter how hard you try.

  8. #8
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544
    This is an excellent idea with a poor implementation. It is not a new idea, the Lotus Notes log-in has used an anti-phishing scheme for several years, although it is (or was) flawed (PDF, includes screenshots).
    Quote Originally Posted by major_small
    basically, this is how it works afaik:

    1. you create an image on your computer
    2. you tell their servers where to find that image on your computer
    3. when you go to log in, their servers grab that image off your computer and show it to you
    From what I gather, it saves a cookie on your machine, rather than the actual image:
    1. You upload an image to yahoo.com
    2. Yahoo.com saves a cookie on your machine identifying the image.
    3. When you visit yahoo.com, the cookie is uploaded, and yahoo.com shows you the image.
    4. When you visit a phishing site, the browser does not upload the cookie (even if it did, the phishing site does not have the image), and the image is not shown.
    5. When you visit yahoo.com from a different computer, or have deleted your cookies, the image is not shown.
    6. When another person using the same computer account visits yahoo.com and compltetes step 1, their image will show up when you visit yahoo.com.

    This shceme is severely flawed, as the correct image will not always show up. This will train users to enter their password even when the image is not present or not correct. This is almost worse than no anti-phishing scheme at all.

    This would be a far better scheme:
    1. Users use a two part password.
    2. Users upload an image to banking.com.
    3. When users visit banking.com, they enter their username and the first part of the password, then press OK.
    4. banking.com shows the image, with the message "Never enter the second part of your password if this image is different to usual or is not present."
    5. User, after verifying image, enters second part of password. For high-security sites, there would be a five second delay before the second-part textbox showed up, forcing the user to look at the image before continuing.
    6. This scheme would work with multiple computers, multiple users, etc.

    EDIT: STUPID, STUPID, STUPID! Of course, this scheme wouldn't work, the phishing site could just go and retrieve the image itself!

    I don't know why this scheme isn't used. Maybe users can't handle two-part passwords?
    If people are dumb enough to hand out their password in an email you think they are going to understand how to use this seal trash? And besides people will find a way around it, too.
    People don't hand it out in an email, they follow a link to a site which looks exactly like the yahoo.com login (and has a similar URL, or with browser issues, apparently the same URL) and enter it there. This works because the site looks exactly the same. Users would be much less likely to enter their password on a site which looks notably different.
    Last edited by anonytmouse; 09-20-2006 at 03:00 AM.

  9. #9
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    People don't hand it out in an email, they follow a link to a site which looks exactly like the yahoo.com login (and has a similar URL, or with browser issues, apparently the same URL) and enter it there. This works because the site looks exactly the same. Users would be much less likely to enter their password on a site which looks notably different.

    And they never wonder why they had to click on a site to get to the yahoo login? The login only comes up after it times out and the session is over. There is a standard site for the login and yahoo tells you the complete URL for it.

  10. #10
    Registered User
    Join Date
    May 2006
    Posts
    1,579
    Thank you major_small,


    Quote Originally Posted by major_small
    I doubt it is... it's stupid because it's basically a security through obsucrity type of thing... and like I said... IMO it's a waste... it's only protecting against phising, and makes it harder to get into your account on a public computer...
    I think for a public computer or for a rich person who has a couple of computers, he/she can use each picture on each computer, right? So, it also works.


    regards,
    George

  11. #11
    Registered User
    Join Date
    May 2006
    Posts
    1,579
    Hi Bubba,


    Quote Originally Posted by Bubba
    It's stupid b/c there is a simple way for your password to never get stolen.
    Don't give it to anyone

    If people are dumb enough to hand out their password in an email you think they are going to understand how to use this seal trash? And besides people will find a way around it, too.

    Sorry, but you can't cure stupid no matter how hard you try.
    I partially agree with you. :-)

    I think this technology is to prevent user to send password to the wrong web site. If people themselves are not security aware, and will send password through email, this technology will not work.

    So, in the scope of preventing user to send password to the fake web site, this technology is enough right? I agree with you that people have other means to leak password.


    regards,
    George

  12. #12
    Registered User
    Join Date
    May 2006
    Posts
    1,579
    Bubba,


    Quote Originally Posted by Bubba
    And they never wonder why they had to click on a site to get to the yahoo login? The login only comes up after it times out and the session is over. There is a standard site for the login and yahoo tells you the complete URL for it.
    What means "The login only comes up after it times out and the session is over" and "yahoo tells you the complete URL for it"? I am confused about what you mean.


    regards,
    George

  13. #13
    Registered User
    Join Date
    May 2006
    Posts
    1,579
    Thank you for your excellent description anonytmouse!


    Quote Originally Posted by anonytmouse
    This is an excellent idea with a poor implementation. It is not a new idea, the Lotus Notes log-in has used an anti-phishing scheme for several years, although it is (or was) flawed (PDF, includes screenshots).

    From what I gather, it saves a cookie on your machine, rather than the actual image:
    1. You upload an image to yahoo.com
    2. Yahoo.com saves a cookie on your machine identifying the image.
    3. When you visit yahoo.com, the cookie is uploaded, and yahoo.com shows you the image.
    4. When you visit a phishing site, the browser does not upload the cookie (even if it did, the phishing site does not have the image), and the image is not shown.
    5. When you visit yahoo.com from a different computer, or have deleted your cookies, the image is not shown.
    6. When another person using the same computer account visits yahoo.com and compltetes step 1, their image will show up when you visit yahoo.com.

    This shceme is severely flawed, as the correct image will not always show up. This will train users to enter their password even when the image is not present or not correct. This is almost worse than no anti-phishing scheme at all.

    This would be a far better scheme:
    1. Users use a two part password.
    2. Users upload an image to banking.com.
    3. When users visit banking.com, they enter their username and the first part of the password, then press OK.
    4. banking.com shows the image, with the message "Never enter the second part of your password if this image is different to usual or is not present."
    5. User, after verifying image, enters second part of password. For high-security sites, there would be a five second delay before the second-part textbox showed up, forcing the user to look at the image before continuing.
    6. This scheme would work with multiple computers, multiple users, etc.

    EDIT: STUPID, STUPID, STUPID! Of course, this scheme wouldn't work, the phishing site could just go and retrieve the image itself!

    I don't know why this scheme isn't used. Maybe users can't handle two-part passwords?

    People don't hand it out in an email, they follow a link to a site which looks exactly like the yahoo.com login (and has a similar URL, or with browser issues, apparently the same URL) and enter it there. This works because the site looks exactly the same. Users would be much less likely to enter their password on a site which looks notably different.
    I think trational SSL technology (like https), can also make bi-directional authentication, means user verifies the web site and vice versa. Why we need to re-invent a new technology?


    regards,
    George

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Sign ' is the same as \' ?
    By George2 in forum C Programming
    Replies: 1
    Last Post: 11-23-2007, 07:32 AM
  2. My own itoa()
    By maxorator in forum C++ Programming
    Replies: 18
    Last Post: 10-15-2006, 11:49 AM
  3. Handle on MSN Messenger's Sign In "button"?
    By jmd15 in forum Windows Programming
    Replies: 3
    Last Post: 07-16-2005, 09:28 PM
  4. How to detect change in sign?
    By bugsmashers in forum C++ Programming
    Replies: 16
    Last Post: 02-20-2005, 07:27 PM
  5. Sign Up!: The Third Round, both contests
    By ygfperson in forum A Brief History of Cprogramming.com
    Replies: 54
    Last Post: 07-20-2002, 05:46 PM