HTTPS Bug Disrupts Secure Hotmail Service

Microsoft turned off HTTPS access for Hotmail in some countries, leaving emails open to interception

Hotmail users in the Middle East, Africa and Asia had secure access to their email accounts disabled on Friday 25 March, after Microsoft turned off its ‘use HTTPS automatically’ setting.

The move – initially reported by Jillian C. York, who writes for Al Jazeera English – could potentially have allowed government-controlled ISPs to eavesdrop on sensitive communications. The problem was reported in more than a dozen countries, including Bahrain, Morocco, Algeria, Syria, Sudan, Iran, Lebanon, Jordan, Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan.

Hotmail users with their location set to any of these countries, who attempted to turn on the always-use-HTTPS feature in order to read their mail securely, received an error message that said: “Your Windows Live ID can’t use HTTPS automatically because this feature is not available for your account type.”

York pointed out that users in the affected countries were able to overcome the problem by changing their location setting, indicating that users had been barred from HTTPS by their stated location rather than by IP address.

An inconvenient truth

Microsoft responded to the issue late on Friday, with a statement on one of its technical help sites.

“We are aware of an issue that impacted some Hotmail users trying to enable HTTPs.  That issue has now been resolved,” read the statement. “Account security is a top priority for Hotmail and our support for HTTPS is worldwide – we do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world.  We apologize for any inconvenience to our customers that this may have caused.”

However, some online commentators have pointed out that, for many people in the affected countries, this mistake could be far more than an inconvenience – and could even lead to political activists being rooted out and forced to face the consequences.

“For Microsoft to take such an enormous step backwards – undermining the security of Hotmail users in countries where freedom of expression is under attack and secure communication is especially important – is deeply disturbing,” wrote EFF International activist Eva Galperin on the Deeplinks blog.

Microsoft introduced the always-use-HTTPS feature for Hotmail in November 2010, enabling users to protect their sensitive communications from hijackers and fraud. The move followed Google’s decision to switch HTTPS to always-on by default for Gmail users earlier that year.

Facebook meanwhile, recently increased the security of its account log-ins, reportedly following attempts by the Tunisian government to capture login details of all Facebook users.

“By using a connection with advanced security features, you can be even more confident that your account is safer from hijackers and your private information is less likely to fall into someone else’s hands,” blogged Dick Craddock, group programme manager for Windows Live Hotmail, at the time.

Ensuring anonymity on the web

In related news, the Free Software Foundation has honoured the Tor Project – which works to ensure anonymity online and defend users against network surveillance and traffic analysis – at its latest annual award ceremony. According to the FSF, the technology “proved pivotal in dissident movements in both Iran and more recently Egypt”.

Despite attempts by the Egyptian government to block online communications during the recent political protests, the Tor Project helped to ensure privacy and anonymity on the web.

The Tor Project received the foundation’s Award for Projects of Social Benefit, which in previous years has gone to the Internet Archive, Creative Commons, Groklaw and Wikipedia.