Yahoo! Mail, Windows Live Hotmail, Gmail by Google

[GµårÐïåñ]

Request forgery targeting login.yahoo.com or a "centralized" sign-in/sign-out point for Windows Live or for Google can cause users to be signed out of their own accounts and/or signed-in to someone else's account, either of which can be part of a scheme that tricks users.

Given the rule, as written, and other functions within NS, the attack surface you are suggesting would be largely ineffective. It would have negligible, if any, malicious effect. There is no POC that supports your position at this time.

[Guest]

@GµårÐïåñ Such certainty. Interesting.

[GµårÐïåñ]

@GµårÐïåñ Such certainty. Interesting.

Yes, you got something to the contrary, share it. Otherwise I stand by what I said. Anonymous innuendo is not sufficient evidence and that's all you have provided so far. Unless a POC is provided or something intelligibly contrary, I consider this matter closed and will not be responding anymore.

[Guest]

I consider this matter closed and will not be responding anymore.

@guardian Lucky me! Yes, please do not respond anymore.

For everyone else, if your yahoo, windows live or google password gets phished and request forgery against the respective login/logout point played a role in tricking you, be sure to come back and let everyone know.

(Hint for do-it-yourselfers: to avoid possible useability effects, the ABE code to solve the issue may need to be separate from that shown already in this thread.)

[GµårÐïåñ]

You need to watch yourself. Posting anonymously and cowardly does not give you permission to be rude or dismissive to members of this forum who are doing a service to the community by providing support. You don't like it, that's your prerogative but that is not permission to be offensive. Your posts WILL be deleted as violation of the forum rules if you continue this line of behavior. Consider this your only and public warning to abide by decorum or take your troll posts elsewhere. You provide no evidence to contrary and yet find it necessary to argue with those who have been supporting and using the software in question.

[Giorgio Maone]

Locking, since it seems we've beent OT for quite a long now.

[Tom T.]

Giorgio, will you please forgive me if I unlock it just enough to get back *on* topic, since I use Yahoo mail?

Yahoo works without allowing yahoo.com. (I use Yahoo "Classic" version.) yimg.com is allowed. Not sure if it is actually needed or not.

I also use Classic Yahoo. (Warning: if you accept the invitation to "upgrade" to New Improved, it's irreversible, according to their fine print. Instructions on staying with Classic "will be posted soon" on their Help page.)

You can restrict the yimg.com to merely mail.yimg.com, depending on how much graphics you like. I prefer almost none.

yahooapis.com is annoying, with the "user status" (online/offline), the status of your contacts, etc. It can be left default-deny, then only temp-allow for tasks that need it, such as editing contacts list, certain account preferences/profile etc. It's off 99+% of the time when I'm in e-mail. "If you don't need it, don't let it run."

The guest who pointed out the dangers of single-sign-on effectively makes the argument against this security-vs-convenience tradeoff. Use separate IDs for each function. The Wikipedia link had Bob storing a bank login cookie on his machine. Terrible. Storing login cookies leads to precisely this danger. Session-only cookies for *everything*, and never have another browser window or tab open while doing banking or other sensitive activities.

If this is overwhelming, Password Safe is a free, open-source tool that will generate strong passwords, store them for you securely (encrypted) *on your own machine*, not on someone else's server, browse to the site for you, and auto-type your login creds, if you like. Very compact, and the encrypted password file is only 10-20k, for easy backups. Can be put on USB flash and taken with you, without leaking data to the host machine. Disclaimer: I have no connection to Password Safe. My experience and opinion only. Use at your own risk.

Plus the ABE rules that Giorgio so kindly gave us.

Again, Giorgio, I hope you find the above information relevant enough to the topic of webmail security to forgive my adding this. Re-locking.