Microsoft promises fix to Hotmail security this month

I asked Microsoft for a response to their failing score on my “Online services security report card” for their Hotmail service and got the response that Hotmail customers were hoping to hear.  Microsoft will fix the problem and enable full-time SSL browsing for Hotmail this month.  Here’s the official response I got from Microsoft.image

“Whenever people access the web through unsecured wireless networks they run the risk of exploits. To protect against these exploits and keep passwords secure we encrypt all connections at login with HTTPS (SSL encryption), and have recently released new security features like Single-Use codes, which allow Windows Live customers to login with a one-time password and keep their normal password secure on public networks.  In addition to protecting customers information at login, in November we will enable Hotmail customers to maintain full-session SSL encryption during their entire Hotmail session, which mitigates cookie-stealing exploits. While we are integrating several security features into Windows Live to help protect our customers, we always recommend that our customers use secure internet connections when browsing the web.” – Microsoft Spokesperson

I will note that cookie stealing exploits (sidejacking) like Firesheep work independently of full time SSL browsing.  Sites like Facebook that allow you to manually force an SSL connection for everything are still susceptible to cookie theft while sites like Ebay which doesn’t support full time SSL browsing aren’t susceptible.  Vulnerability to sidejacking depends on how the javascript is written and whether they transmit authentication cookies using SSL or in the clear.  So while full time SSL browsing is welcome (because that protects the data you’re looking at), it’s even more important to make sure that cookies aren’t exposed by sloppy javascript code.  I’m sure Microsoft’s engineers will verify this as they’re working on the fix, but I’ll retest them and update my report card when they’re finished upgrading.

Full SSL costs almost nothing

What I’m more curious about is whether Microsoft will implement SSL by default like Google Gmail.  I’ve argued for many years that full time SSL encryption has negligible server and network overhead and Google confirmed this on their production Gmail environment this year.  Google engineers wrote:

“In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

Now that Google has made public their experience with full time SSL on Gmail (which got the only “A” on my online report card), I hope the rest of the industry will finally put the myth that SSL is too expensive to bed and do the right thing.image

Facebook’s response to Forbes

Facebook which absolutely flunked my security report card responded to Forbes’ Kashmir Hill offers some hope that their will be a fix within the coming months, but nothing definitive and offered some mistaken defenses of Facebook security.  Facebook’s spokesperson claimed that Facebook always “encrypts” the login page.  That’s true but it’s totally inadequate because good security requires strong encryption and strong authentication.  Facebook’s login page does not authenticate itself to the user because it doesn’t default to HTTPS which helps the user determine if they’re really visiting Facebook or some imitator’s site.  The U.S. banking industry mistakenly believed that encryption alone was sufficient in 2006 but finally deployed proper server authentication to the user a few years later.  Most other online services have figured this out except for Facebook and Twitter.

Facebook also tells users to “assume that other people can access any information you see or send over a public wireless network.”  But that’s nonsense because a truly secure site can be safely accessed on an open and unsecured wireless hotspot.  While I’ve been a long term advocate of securing hotspots with simple solutions, that should not be an excuse for public websites to ignore its user’s security.  Fixing websites with full time SSL and secure javascript coding is not expensive because it does not require upgrading software, servers and networks as Google has proven.  It just needs more diligence from the engineerings building the website and fewer excuses.


[Cross-posted at Digital Society]