LOUISVILLE, KY \u2013 As Derby Con was winding down, an interesting email hit Salted Hash\u2019s inbox form Venafi. The security firm, known for their tools that secure digital keys and certificates, outlined a number of cryptographic issues at Yahoo.The email then claimed they\u2019re not saying these flaws led to the massive data breach that impacted 500 million users. Yet, that\u2019s exactly what their statements hint at.In Venafi\u2019s experience, an emailed statement from Alex Kaplunov, Venafi\u2019s vice president of engineering explains, breaches like the one suffered by Yahoo are often accompanied by weak cryptographic controls.Granted, Venafi has a horse in the race, so this isn\u2019t an unusual statement for them to make, but it\u2019s interesting \u2013 as it could explain how Yahoo failed to notice half-a-billion records moving into criminal hands over time.To test their theory, Venafi examined Yahoo\u2019s public-facing certificates over the weekend and found that 27-percent of the certificates exposed externally Yahoo\u2019s websites have not been reissued since January 2015.Further, only 2.5-percent of the 519 certificates deployed have been issued within the last 90 days. This, Venafi says, suggests that Yahoo does not have the ability to find and replace digital certificates quickly.Moreover, \u201ca surprising number\u201d of Yahoo digital certificates use MD5, which can be reversed with brute force attacks. MD5 also suffers from vulnerabilities, which have been exploited by malware used in alleged state sanctioned espionage, such as Flame.\u201cAll of the MD5 certificates in use by Yahoo! today and many of the other certificates Venafi Labs evaluated are self-issued. One current MD5 certificate uses wildcards (*.yahoo.com) and has an expiration date of 5 years. Certificates with long expiration dates, those that are self-issued, and those that use wild cards are all symptoms of weak cryptographic control,\u201d the research note explained.Finally, Venafi found that 41-percent of the external Yahoo certificates use SHA-1. Major browser vendors have stated that they will stop accepting SHA-1 certificates in January of 2017.\u201cAny one of these cryptographic issues would leave an organization extremely vulnerable to attacks on encrypted communication and authentication,\u201d said Hari Nair, director of product management and cryptographic researcher for Venafi.Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi, said \u201cit seems very likely that the exfiltrated data was encrypted and that\u2019s how the attackers managed to move such a massive amount of data while staying under the radar of Yahoo! security tools. It\u2019s nearly impossible for any organization to detect unauthorized, encrypted traffic coming in or out unless they have strong cryptography practices.\u201d\u201cYahoo has not replaced cryptographic keys and digital certificates over the last 90 days in any way that would represent a coordinated response to a breach. And even more troubling, known vulnerabilities like MD5 certificates combined with a wildcard certificate that has a 5 year expiration date makes it clear that Yahoo lacks deep visibility into their cryptographic security posture. Organizations use encryption to secure everything - without a comprehensive understanding of cryptographic risks, there is absolutely no way to be confident about security or privacy," \u00a0Bocek added.While Venafi has stated they\u2019re not saying the Yahoo breach was caused by the cryptographic problems, it\u2019s been proven before that criminals hide their actions within encrypted channels. Again, Venafi has skin in the game, but their research offers an interesting theory. Feel free to comment below and share your thoughts.Salted Hash has reached out to Yahoo for comments, and will update this post if they chose to respond.