Yahoo! and Login system

Re: Yahoo! and Login system

R. Rajesh Jeba Anbiah wrote:[color=blue]
> [This is bit off-topic. I'm posting here to get some sort of PHP
> solution]
>
> This is regarding secure login implementation in PHP. I'm trying to
> understand <http://mail.yahoo.com/> If I understand right, they're
> passing the md5 hash instead of the password itself. But, I couldn't
> understand the use of "challenge" string in their mechanism. IIRC,
> sometimes ago, I read somewhere that this kind of system is not secure
> at all. Does anyone have any idea?[/color]

If your are speaking about HTTP header fields, this is part of the HTTP
standard. You may read the HTTP's rfc for further details.

<http://www.faqs.org/rfcs/rfc2616.html>

--
Guillaume Brocker

Re: Yahoo! and Login system

Guillaume Brocker <guillaume.broc ker@ircad.u-strasbg.fr> wrote in message news:<40501a29$ 0$303$626a14ce@ news.free.fr>.. .[color=blue]
> R. Rajesh Jeba Anbiah wrote:[color=green]
> > [This is bit off-topic. I'm posting here to get some sort of PHP
> > solution]
> >
> > This is regarding secure login implementation in PHP. I'm trying to
> > understand <http://mail.yahoo.com/> If I understand right, they're
> > passing the md5 hash instead of the password itself. But, I couldn't
> > understand the use of "challenge" string in their mechanism. IIRC,
> > sometimes ago, I read somewhere that this kind of system is not secure
> > at all. Does anyone have any idea?[/color]
>
> If your are speaking about HTTP header fields, this is part of the HTTP
> standard. You may read the HTTP's rfc for further details.
>
> <http://www.faqs.org/rfcs/rfc2616.html>[/color]

Thanks for your reply. You might have misunderstood my post. My
question was about secure login implementation & how far Yahoo! is
secure with their system. They use md5 hash as well as "challenge"
string. (I couldn't understand the reason behind "challenge" string;
but I understand the md5 hash).

--
"I don't believe in the God who doesn't give me food, but shows me
heaven!"--Swami Vivekanandha
Email: rrjanbiah-at-Y!com

Re: Yahoo! and Login system


Uzytkownik "R. Rajesh Jeba Anbiah" <ng4rrjanbiah@r ediffmail.com> napisal w
wiadomosci news:abc4d8b8.0 403110601.75db0 ebb@posting.goo gle.com...[color=blue]
> Thanks for your reply. You might have misunderstood my post. My
> question was about secure login implementation & how far Yahoo! is
> secure with their system. They use md5 hash as well as "challenge"
> string. (I couldn't understand the reason behind "challenge" string;
> but I understand the md5 hash).[/color]

The purpose of the challenge string is to make the md5 hash unique for every
login attempt. Otherwise, if the md5 hash is the same every time, then
someone who's intercepted the hash can just use the hash to log into the
system--in essence, the md5 hash has become the password.

HTTP's digest authentication is based such a challenge/response mechanism,
so it's worthwhile to take a look at the RFC.

Re: Yahoo! and Login system

"Chung Leong" <chernyshevsky@ hotmail.com> wrote in message news:<RJKdnZLHI vaspszd4p2dnA@c omcast.com>...[color=blue]
> Uzytkownik "R. Rajesh Jeba Anbiah" <ng4rrjanbiah@r ediffmail.com> napisal w
> wiadomosci news:abc4d8b8.0 403110601.75db0 ebb@posting.goo gle.com...[color=green]
> > Thanks for your reply. You might have misunderstood my post. My
> > question was about secure login implementation & how far Yahoo! is
> > secure with their system. They use md5 hash as well as "challenge"
> > string. (I couldn't understand the reason behind "challenge" string;
> > but I understand the md5 hash).[/color]
>
> The purpose of the challenge string is to make the md5 hash unique for every
> login attempt. Otherwise, if the md5 hash is the same every time, then
> someone who's intercepted the hash can just use the hash to log into the
> system--in essence, the md5 hash has become the password.
>
> HTTP's digest authentication is based such a challenge/response mechanism,
> so it's worthwhile to take a look at the RFC.[/color]

Thanks a lot for you info. I was thinking that he misunderstood my
post. I'll certainly look at the RFC.

BTW, I'm still scratching my head on it. If I understand right,
they're also passing the challenge string to the server and they pass
all the variables via the URL. I still wonder how this will be secure.
Sometimes ago I read an article that says this method is not secure;
but I lost that link now.


--
"I don't believe in the God who doesn't give me food, but shows me
heaven!"--Swami Vivekanandha
Email: rrjanbiah-at-Y!com

Re: Yahoo! and Login system

I noticed that Message-ID:
<abc4d8b8.04031 20314.7917985c@ posting.google. com> from R. Rajesh Jeba
Anbiah contained the following:
[color=blue]
> BTW, I'm still scratching my head on it. If I understand right,
>they're also passing the challenge string to the server and they pass
>all the variables via the URL. I still wonder how this will be secure.
>Sometimes ago I read an article that says this method is not secure;
>but I lost that link now.[/color]

Are they not using javascript to generate a combination MD5 hash?
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Re: Yahoo! and Login system

Geoff Berrow <blthecat@ckdog .co.uk> wrote in message news:<tv735098b 8monqijvlmjmq31 0hjlr8cbou@4ax. com>...[color=blue]
> I noticed that Message-ID:
> <abc4d8b8.04031 20314.7917985c@ posting.google. com> from R. Rajesh Jeba
> Anbiah contained the following:
>[color=green]
> > BTW, I'm still scratching my head on it. If I understand right,
> >they're also passing the challenge string to the server and they pass
> >all the variables via the URL. I still wonder how this will be secure.
> >Sometimes ago I read an article that says this method is not secure;
> >but I lost that link now.[/color]
>
> Are they not using javascript to generate a combination MD5 hash?[/color]

They use JS to generate md5. But, I couldn't get your "hint" :-(

BTW, if I understand right they stuff the challenge string in
session or DB before showing it in form; and after the form is get
sumbitted(in Yahoo! they use only GET) they validate the inputs. If
this is true, I think CAPTCHA technique will be better than this.

--
"Democracy: Where all citizens are politicians and all politicians
are citizens"
Email: rrjanbiah-at-Y!com

Re: Yahoo! and Login system

I noticed that Message-ID:
<abc4d8b8.04031 22042.1470627b@ posting.google. com> from R. Rajesh Jeba
Anbiah contained the following:
[color=blue][color=green]
>> Are they not using javascript to generate a combination MD5 hash?[/color]
>
> They use JS to generate md5. But, I couldn't get your "hint" :-([/color]

I meant, do they do an MD5 of the password /and/ the challenge string
together. So that the hash would never be the same and could not be
intercepted and used as a password.

Can't see the point of doing an MD5 client side otherwise.

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Re: Yahoo! and Login system

If I may ask, are you trying to gain knowledge or are you trying to write
something that interacts with yahoo?

if you are trying to check mail on yahoo, then pop it from
pop.mail.yahoo. com

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"R. Rajesh Jeba Anbiah" <ng4rrjanbiah@r ediffmail.com> wrote in message
news:abc4d8b8.0 403102220.2e446 c43@posting.goo gle.com...[color=blue]
> [This is bit off-topic. I'm posting here to get some sort of PHP
> solution]
>
> This is regarding secure login implementation in PHP. I'm trying to
> understand <http://mail.yahoo.com/> If I understand right, they're
> passing the md5 hash instead of the password itself. But, I couldn't
> understand the use of "challenge" string in their mechanism. IIRC,
> sometimes ago, I read somewhere that this kind of system is not secure
> at all. Does anyone have any idea?
>
> --
> "I don't believe in the God who doesn't give me food, but shows me
> heaven!"--Swami Vivekanandha
> Email: rrjanbiah-at-Y!com[/color]

Re: Yahoo! and Login system

Geoff Berrow <blthecat@ckdog .co.uk> wrote in message news:<7bv550lg6 rd99rstdamrj0bh 5nqc4olara@4ax. com>...[color=blue]
> I noticed that Message-ID:
> <abc4d8b8.04031 22042.1470627b@ posting.google. com> from R. Rajesh Jeba
> Anbiah contained the following:
>[color=green][color=darkred]
> >> Are they not using javascript to generate a combination MD5 hash?[/color]
> >
> > They use JS to generate md5. But, I couldn't get your "hint" :-([/color]
>
> I meant, do they do an MD5 of the password /and/ the challenge string
> together. So that the hash would never be the same and could not be
> intercepted and used as a password.[/color]

Yes, they form another hash with the help of challenge string as
Chung Leong said. If I understand right, CAPTCHA technique will be
better than this. I have also looked at HTTP Digest Authentication
which uses such challenge string mechanism; but it seems to be useless
(<http://static.userland .com/userLandDiscuss Archive/msg012483.html> )
[color=blue]
> Can't see the point of doing an MD5 client side otherwise.[/color]

Yes, this guy has some hacking like stuff
<http://theory.cs.iitm. ernet.in/~arvindn/yahoo/> And, finally I
couldn't find anything better except the secure server solution.

--
"Democracy: Where all citizens are politicians and all politicians
are citizens"
Email: rrjanbiah-at-Y!com

Re: Yahoo! and Login system

"CountScubu la" <me@scantek.hot mail.com> wrote in message news:<XjJ4c.236 37$0I1.894@news svr29.news.prod igy.com>...[color=blue]
> If I may ask, are you trying to gain knowledge or are you trying to write
> something that interacts with yahoo?[/color]

I'm trying to find better but secure login system. And, also
analyzing if Yahoo! has better system or not.

--
"Democracy: Where all citizens are politicians and all politicians
are citizens"
Email: rrjanbiah-at-Y!com

Re: Yahoo! and Login system

Oh, ok.

hmm, try using a SSL page for login ?

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"R. Rajesh Jeba Anbiah" <ng4rrjanbiah@r ediffmail.com> wrote in message
news:abc4d8b8.0 403142348.1d05d e8d@posting.goo gle.com...[color=blue]
> "CountScubu la" <me@scantek.hot mail.com> wrote in message[/color]
news:<XjJ4c.236 37$0I1.894@news svr29.news.prod igy.com>...[color=blue][color=green]
> > If I may ask, are you trying to gain knowledge or are you trying to[/color][/color]
write[color=blue][color=green]
> > something that interacts with yahoo?[/color]
>
> I'm trying to find better but secure login system. And, also
> analyzing if Yahoo! has better system or not.
>
> --
> "Democracy: Where all citizens are politicians and all politicians
> are citizens"
> Email: rrjanbiah-at-Y!com[/color]

Re: Yahoo! and Login system

"CountScubu la" <me@scantek.hot mail.com> wrote in message news:<ARe5c.240 67$494.14740@ne wssvr29.news.pr odigy.com>...[color=blue]
> Oh, ok.
>
> hmm, try using a SSL page for login ?[/color]

Yeah, that's seems to be the only bullet-proof solution :-(

--
"Democracy: Where all citizens are politicians and all politicians are citizens"
Email: rrjanbiah-at-Y!com

Re: Yahoo! and Login system

I noticed that Message-ID:
<abc4d8b8.04031 50620.1b66e403@ posting.google. com> from R. Rajesh Jeba
Anbiah contained the following:
[color=blue][color=green]
>> hmm, try using a SSL page for login ?[/color]
>
> Yeah, that's seems to be the only bullet-proof solution :-([/color]

Plus regular checks to make sure keystroke loggers are not installed.

I'm sometimes amused at people who go to such lengths over security.
they are probably the same people who casually hand over their credit
card to the waiter in a restaurant...

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Re: Yahoo! and Login system


I use an md5 challenge with my waiter when I hand him a credit card, but he
usualy has a blank look on his face.

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Geoff Berrow" <blthecat@ckdog .co.uk> wrote in message
news:agkb505jdp odms5bu8ktl6nbb gm346cps0@4ax.c om...[color=blue]
> I noticed that Message-ID:
> <abc4d8b8.04031 50620.1b66e403@ posting.google. com> from R. Rajesh Jeba
> Anbiah contained the following:
>[color=green][color=darkred]
> >> hmm, try using a SSL page for login ?[/color]
> >
> > Yeah, that's seems to be the only bullet-proof solution :-([/color]
>
> Plus regular checks to make sure keystroke loggers are not installed.
>
> I'm sometimes amused at people who go to such lengths over security.
> they are probably the same people who casually hand over their credit
> card to the waiter in a restaurant...
>
> --
> Geoff Berrow (put thecat out to email)
> It's only Usenet, no one dies.
> My opinions, not the committee's, mine.
> Simple RFDs http://www.ckdog.co.uk/rfdmaker/[/color]