Yahoo is introducing a new way to protect people from phishing attacks. They are going to let you create a seal that will be displayed when you visit an authentic Yahoo! webpage.
Good so far. But, I have a couple problems with this new method.
1) It is tied to an individual computer. Yahoo says that the “seal is a secret between the computer you set it up on and Yahoo!” I don’t really like my computer to have secrets from me, but that’s a different issue. If you want to use this anti-phishing technique on a work computer and/or multiple home computers, you will need to create a different seal for each one. That just seems like a lot of work.
2) It doesn’t work.
Don’t believe me? Let’s look over the FAQ and read the response to the question “What if I don’t see my sign in seal?”
The correct answer should be run away. Shut your browser, clear you cache, delete your cookies and thank your diety of choice that the seal protected you from a phishing attack.
But, that is not the correct answer according to Yahoo!
You could be on a fraudulent site, but there might be other reasons why you can’t see it. For example, someone else using your computer may have deleted or changed your seal, your cookies or files on your computer may have been deleted, or you’re using a partner or international Yahoo! site (like BT Yahoo! or Yahoo! India). To be safe, look for these other clues to make sure you’re on a genuine Yahoo! sign-in screen.
That’s a mouthful of silliness. Let’s break it down.
My powerful seal tells me when I am on a valid Yahoo! site, but sometimes he doesn’t? How could that be? Oh, cookies might have been deleted. We all know seals only stick around for the cookies. But, aren’t we supposed to be deleting our cookies from time to time for security reasons? What kind of internet security system almost encourages users to never delete their cookies? Oh wait, maybe the cookies are fine. Maybe we are just on Yahoo! India. But, Yahoo! India looks a lot like Yahoo! America. I would be willing to bet that a phisher could direct somebody over there without them noticing and phish away.
The last line of that quotation needs special mention all by itself. If the seal isn’t going to keep me safe, and I’m still going to have to make sure I’m on a genuine Yahoo! sign-in screen, then what exactly is the seal doing?
If you would like to make a comment, please fill out the form below.
Though you call yourself an “internet man”, you seem to have no idea whatsoever what it takes to id a website user.
The server end simply does not get any more info (usable for unique identification) on you than your IP address (not exactly relevant) and whatever cookie is stored *on your computer*.
As such there’s absolutely no way to send you back your personalized sign-in seal without you logging in first, if not done by cookies. And then again, cookies are tied to a single computer.
I do understand how cookies work. And for that exact reason I think this is a pretty useless method that Yahoo is proposing. Anything that needs to get reset up everytime you clean up cookies or move to a new computer isn’t going to be something that people are going to be willing to buy into.
I think it’s more than cookies. Cleared the Firefox cookies and restarted, seal is there. Installed a brand new browser, like Opera, and the seal is there. Must somehow get a number off your PC, like a MAC address.
I feel it hampers our privacy while surfing the web. The sign-in seal doesn’t depend on cookies or browsers. There’s something more to it, which uniquely identifies my computer (more than an IP address). Even if I delete the seal, Yahoo! still knows that it is my computer and I have set the setting to not show the seal.
The seal cookie is stored in a Flash folder… if you delete it and your browser cookies… it’s gone!
From: http://girishnayak.blogspot.com/2006/09/how-does-yahoo-sign-in-seal-work.html
Yahoo uses multiple methodologies to achieve the tagging of user system.
1. Simple browser cookie
2. Flash Shared Objects (.sol) Aka. Flash Cookie
3. XML file in Userdata folder.
Interesting part of the findings is how persistent the tagging has been. If you delete one source other one will help yahoo identify the system and recreate the deleted data.
How to delete Yahoo Sign In SEAL tracking completely ?
1. Close Browsers
2. Delete the Cookies from browser (IE : Tools >Internet Options> Delete Cookies , Firefox Ctrl+Shift+Del )
3. Delete Flash Shared Objects from C:\Documents and Settings\{user name}\Application Data\Macromedia\Flash Player\#SharedObjects
4. Delete YL[1].xml. On windows XP you can have it here “C:\Documents and Settings\{user name}\UserData\{random folder like ODFXSDVY} \YL[1].xml