Yahoo Sign and Seal

Since this topic cannot be answered (because it's too old):

https://www.wilderssecurity.com/showthread.php?t=80612

Here are some messages from the old TORPARK forum, regarding this subject. This forum doesn't exist anymore, however, I save some informations posted.

Question:

Hello,
please, somebody can explain me some about scripts?

Every web page i open need to allow temporally script....why?? Is it Dangerous for my anonimity?

For example, when i open yahoo.com i need to allow temporally yimg.com and yahoo.com and akamay.net , if not, i cant see page correctly, so...this can compromise my anonimity? yahoo can reveal my real IP ?

but, other question is....if i send an email whit yahoo for exemple, the reciver only see the IP (Tor's IP), and what he can do whit this IP? He need to ask to TOR server info about this IP ? or t Yahoo company?

Thanks

Answer:

arrakis (creator of Torpark):

Yahoo is not to be trusted under any circumstance:

http://www.hacktivismo.com/news/?p=1216 (broken link)

http://www.wired.com/news/technology/0,72972-0.html?tw=wn_politics_4 (broken link)

They can place scripts on their website that allow them to find out your true IP address, which they will then turn over to authorities. I suggest you seriously consider stop using Yahoo.

Question:

Thanks,
i thing that this happend for serious crimes, maybe in USA FBI have this power on Company like yahoo, but in Europe is more difficult to have this notice from company that have your offices in other country.

But, please, make the invers option....i mean.....i send an yahoo email to one person tell him that is an Idiot !! he can only see my IP, and using TORPARK, the IP is of Tor servers, right?

This person go to Autorities and give the email and IP !! What autorities do? search IP server or contact Yahoo?? if they reach IP server, which information can get from ?

Thanks

Answer:

arrakis (creator of Torpark):

They only get the IP address of the Tor server, which does not have any logs about you.

And in Europe the laws are even worse. In 2009, all internet ISPs will be required to log your internet traffic due to data retention laws.

YAHOO SIGN and SEAL
Topic from September, 2006

User: roguesentry

OK. Yahoo has implemented this new "sign in seal" thru cookies, so they say. Torpark was not the browser I registered with, so no problem, right?

Wrong.

When I try to login on any yahoo site, it still gives me my personalized sign in seal on my home computer, which means it recognizes my computer. I deleted all TorPark cookies and cleared all private data, restarted and same deal.

How is this?

How can Yahoo recognize my home computer thru Torpark and "onion"ing? Can this be fixed?

User: arrakis

I have no idea how it works. Cookies are deleted automatically upon exit. So it can't be cookie based. Tell me, are you doing this during different sessions of Torpark?

User: roguesentry

Yes. Different sessions. I even completely deleted and reinstalled Torpark, and it still shows up before I login the first time. I have regular Firefox, Opera, and IE on my computer and registered with it on them, too. Maybe somehow there's some interaction between Torpark and regular Firefox, somehow it's reading the cookies from reg. Firefox? FYI, I store Torpark on a completely different physical drive than reg. Firefox is stored, too.

There is a disturbance in the Force. LOL.

User: arrakis

Okay, obviously something is wrong. It is recognizing your computer regardless of Torpark. I wish i could be there, I bet it is something really simple.

First off, clear your cache/cookies of your regular firefox/IE/etc. Make sure you aren't running them.

Okay now see if it already knows your name using regular firefox.

User: anogeorgeo

Hey,

I've looked at "sign and seal" and I found it's a custom message/picture saved as an .xml and a cookie that an end-user chooses and is placed onto the end-users computer. It looks like Yahoo! and Yahoo! sites attempt to find the custom "seal" on the end-users computer to prevent Phising attacks.

It looks like the "seal" is used mainly for Yahoo! Personalized sites but Yahoo! mail also may use it.

You don't have to use Sign and Seal with your Yahoo! services, it is an option not a requriment. I suggest you don't use sign and seal.

Here's Yahoo!'s explination of this "feature":
http://help.yahoo.com/l/us/yahoo/security/security-04.html

-----------------------------------------------

Here's how to remove the "sign and seal":

1. Navagate to your "[UserProfile]\Application Data\User Data\" folder.

1a. The blue text above is ment to show that you need to navagate to your "\User Data\" directory.

1b. The full "\User Data\" path most likely will be: "C:\Documents and Settings\[User Name]\Application Data\User Data\". The green "\[User Name]\" is your Windows User Profile, by default it's "Owner" but you might have changed that.

2. Within the "\User Data\" directory there will be a few folders with random titles like "ODFXSDVY". Look through these folders until you find an .xml file titled "YL[*].xml". The asterisk (*) is a wildcard and will be a single digit, most likely "1".

2a. Backup the "YL[*].xml" file into your "\[UserProfile]\" directory and rename it to "Yahoo-Seal.txt".

2b. Now go back to the folder within "\User Data\" where you found the .xml and delete the .xml.

3. Clear the cache and cookies you have stored on TorPark, Firefox, IE and Opera.

4. Restart TorPark, visit Yahoo! and your "sign and seal" will be history

5. If the directions worked you can now delete the file "Yahoo-Seal.txt" you put in your "\[UserProfile]\" directory.

Note: If you use Macromedia Flashpalyer or Java you should delete their cookies also. But you shouldn't be using those over Tor anyway so they shouldn't be an issue.

Let us know if that works for you,
Anogeorgeo

User: roguesentry

Hmm. This reply got posted somewhere else.

This is a little out of my area of expertise, but wouldn't it be possible to code Torpark so that it wouldn't access that stored information on the computer's HD? If it's doing that, it's not really running completely off of a USB, plus that's a pretty big hit against its users' anonymity, no? If you can be tracked to a single computer, it would be little work to ID the user.

User: anogeorgeo

Hi,

It's not TorPark that's accessing the .xml I believe it's Yahoo when your logging on. Or, Yahoo could be giving TorPark (eg. Firefox portable) a command to look for the .xml but I doubt it. You do have Java turned off correct?

Have you tried deleting the .xml and clearing the cookies and cache as I suggested?

I wouldn't use the sign and seal feature if I were you.

On a side note:

If you created the Yahoo account with your regular Firefox without using a proxy why are you using TorPark to access that Yahoo account? Your original IP is already logged so accessing it via. TorPark isn't going to grant you anonymity. It may be worse for your anonymity to access a Yahoo account linked to your real IP via. TorPark due to exit node issues.

Anogeorgeo

Hey,

I forgot to mention, if your worried about Phishing then you may want to use the Firefox extension "VerifyURL" http://invisibill.mozdev.org/verifyurl/ .

I use this extension and I like it alot, just right click on the webpage/website and choose the menu item "VerifyURL"

User: roguesentry

I think I discovered an easier solution that deleting stuff. "Run as" a different user, in this case a user made just for Torpark, and the seal DOES NOT display.

Easier solution, no?

User: anogeorgeo

Hi,

Easier yes but more secure no, I wouldn't trust your solution in the future.

For a middle ground you could rename the YL[*].xml file to YL[*].txt when you use TorPark and rename it back to .xml when you wish to use the sign and seal.

Regards, Anogeorgeo