Pre MSN P8 authentication was based on client computing a secure hash and sending it to the server, but the new SSL authentication requires you to send the password over SSL. ie. the Password is actually sent to one of n servers. This appears (to me) to actually reduce security.
- Password is sent to remote location. - If password is relayed from destination SSL server to one or more upstream servers, my password(not obfuscated hash) is sent to more nodes. - SSL is prone to man in the middle attack. So one can insert an SSL Server that appears to be the destination. This can be done if the DNS is compromised. (This could be done at network level, hosts file etc.) SSL on client side may verify destination servers identity against a truststore but that is vulnerable too. :-( If the SSL Server can be mimicked basically the attacker can create a proxy, appear like the real destination and slurp all passwords. My point is that MS has actually reduced security by forcing people to send their password over network instead of hash of password. Harmeet PS: Sorry about changing topic on thread, but this had nothing to do with yahoo. Also last email got partially sent. (I am trying to get used to a different mail client). ----- Original Message ----- From: Tijl Houtbeckers <[EMAIL PROTECTED]> Sent: Sep 12, 2:11 AM > Matthias Wimmer <[EMAIL PROTECTED]> wrote on 12-9-2003 1:21:10: > > > >Hi Andrew! > > > >Andrew Sayers schrieb am 2003-09-11 15:31:27: > >> > Note: Protocol change in MSN is due some security issues, AFAIK. > >> For the record, MS claim there is a security weakness in older > >> versions of the protocol, which they haven't disclosed. I assume > >> they'll tell us about it once it's no longer a live issue. > > > >I am not really sure if there is a real security problem in the old > >protocol. But we'll see if they tell us about a real one after it has > >been shut down. > > Well it depends on how you look at it. Microsoft wants people to > upgrade to a version of the protocol that uses SSL, so they when they > choose they can start depending on client-side SSL certificates to know > who their users are. Since you can't do that with the old protocol from > that perspective you could call it "insecure". > > -- > Tijl Houtbeckers > Software Engineer @ Splendo > The Netherlands > > _______________________________________________ > jdev mailing list > [EMAIL PROTECTED] > http://mailman.jabber.org/listinfo/jdev _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
