Y
Hacker News
new
|
ask
|
show
|
jobs
by
TallGuyShort
3551 days ago
The other possibility is somehow intercepting them between SSL termination and hashing.
1 comments
perfectfire
3551 days ago
That's a good point. If they got ahold of Yahoo's cert key they could even grab passwords before SSL termination.
link
schoen
3551 days ago
Not passively anymore: login.yahoo.com is negotiating PFS ciphersuites which the private key can't decrypt without a copy of the ephemeral ECDHE parameters.
link