Microsoft ‘fixes’ Hotmail with an unusable fix

In what appears to be a response to the increased awareness from FireSheep, Microsoft has added a full SSL option for Microsoft Hotmail.  Unfortunate, it is not a default action so the vast majority of Hotmail won’t benefit from this enhancement in security.  The few Hotmail users who keep up with security news and go to https://account.live.com/ManageSSL will also be faced with a difficult choice.  Enabling HTTPS SSL security permanently will break the following applications that connect to Hotmail.

Outlook Hotmail Connector

Windows Live Mail

The Windows Live application for Windows Mobile (version 6.5 and earlier) and Symbian

These three applications lack SSL support and therefore are still at risk for user data exposure, but at least they don’t use cookies so they’re not susceptible to sidejacking.  The problem is that Hotmail users who use these applications will not be able to enable persistent HTTPS on the web version of Hotmail and they will have to manually engage SSL by going to HTTPS://hotmail.com every time in their web browser.image

That’s unfortunate because these applications are actually the most attractive aspect of Hotmail.  I’ve found that Windows Live Mail is a hidden gem and even more usable for consumers than Gmail because of its integration with the desktop.  Users could take a hundred high resolution photos from their digital camera and just drag it into a new email and Live Mail will automatically shrink the images to a manageable size for upload and put it in Microsoft Cloud Storage service “SkyDrive”.  You can’t do that with Gmail because it is a browser based application and I’ve found Live Mail far more friendly for nontechnical users.

Microsoft could have at least enabled SSL by default for desktop web browsers and excluded these three SSL-incompatible applications, but the full solution is to enable SSL for all Hotmail clients by default whether they’re browser based or not.  Instead we have a solution that technically fixes the sidejacking vulnerability (I verified that it is now invisible to FireSheep) but doesn’t actually offer a solution to the vast majority of Hotmail users.  So instead of raising Microsoft’s score from a “D-” to an “A”, I’m only going to raise it to a D+ for the moment until the solution becomes more usable.

Now some people are looking at this “D” as a “passing” score but that was never my intent since I have always considered anything less than an “A” a failure due to the easy grading criteria (I didn’t even dock Google Gmail for its failure to implement strong SSL with perfect forwarding secrecy).  The only reason Hotmail didn’t get an “F” in my online services report card is because Facebook and Twitter were even worse and I had to give Hotmail a higher score.

The Microsoft Hotmail team might not like this score but I seriously doubt they can look at me with a straight face and tell me that this is anything close to a complete solution.  There are a lot of smart engineers at Microsoft and I know they can do better than this.

 

[Cross-posted at Digital Society]

About George Ou

George Ou was a network engineer who built and designed wired network, wireless network, Internet, storage, security, and server infrastructure for various fortune 100 companies. He is also a Certified Information Systems Security Professional (CISSP #109250). He was Technical Director and Editor at Large at ZDNet.com and wrote one of their most popular blogs “Real World IT.” In 2008, he became a Senior Analyst at ITIF.org, and he currently writes for High Tech Forum