HotmailThree weeks after researchers unveiled a plugin that allows Firefox Web browser users to snoop on the Webmail and social networking sessions of those around them, Microsoft has announced an option that will allow users of its Hotmail Web e-mail program to browse securely. 

The company said on Tuesday that it was adding full session SSL encryption for Hotmail. Users of that service can enable HTTPS for their messages, calendar and contacts using a Web based interface. Microsoft had previously used SSL encryption only to secure connections at login, and first announced that it would deliver full session encryption in late September.

Related Web based services, including SkyDrive, Photos, Docs and Devices will all use SSL automatically from now on, according to the post on the Windows Team Blog, which was attributed to Dick Craddock, Group Program Manager for Windows Live Hotmail.

The insecurity of Web sessions has long been a bone of contention between security researchers and Web 2.0 firms, who have preferred accessibility and feature development over security. The demonstration of FireSheep at the ToorCon Conference in San Diego in late October changed that.

The plugin, developed by independent researcher Eric Butler and Ian Gallagher of Security Innovation, monitors unencrypted wireless networks for  Web 2.0 sessions then allow the FireSheep user to impersonate the authenticated user, effectively snooping on his or her session in an attack known as “session hijacking” or “sidejacking.” Using SSL encrypted HTTP prevents others from being able to view the content of a Web session, even on an insecure wireless network.

The demonstration unleashed a flood of news coverage, controversy and interest in the plugin. FireSheep has been downloaded more than 600,000 times since it was unveiled at ToorCon. That coverage put pressure on Web application firms to offer an option for users to securely connect to and interact with their Web sites. At the time of the demonstration, Google was one of the few companies that used SSL by default for its GMAIL Web based e-mail.

While Microsoft’s full session encryption had been in the works for some time, it is expected that other organizations will be rolling out secure interfaces in the weeks ahead, as well.

As is often the case, however, security comes at a cost. The blog post notes that turning on SSL will break the Outlook Hotmail Connector, as well as integration with Windows Live Mail and the Windows Live application for mobile devices using Windows Mobile (Version 6.5 and earlier) and Symbian.

Categories: Cryptography, Social Engineering, Web Security

Comments (6)

  1. Anonymous
    1

    This was the intention of the person that  pushed the Firefox plug-in, Eric Butler. I’d call that a big win. (Other social networks might as well get busy before the “media” starts making fuss about how ‘they are not preventing this sort of session hi-jacking’.)

  2. Anonymous
    2

    Since updating my account to use HTTPS, I have been unable to login to hotmail. It gets to a .live.com authentication page and hangs. Neither FF or IE8 works. Sigh.

  3. Paul F. Roberts
    3

    Agreed that other Web 2.0 vendors will need to get on SSL/HTTPS. Microsoft had actually committed to it before FireSheep. 

  4. Anonymous
    4

    I’d call it a half way win as MS has instituted HTTPS as an “option” it is not mandatory so we aren’t there yet.Almost….but it will take a big egg on their face incident for them to make the right move (par for the course). Lazy non-proactive asshats that they are.

  5. Anonymous
    5

    Microsofts lame attempt at fixing the problem on there side does not work. I have changed my hotmail account to make it so called secure “https” and also have downloaded firesheep. Low and behold, what pops up in firesheep, but my hotmail account when I log in using https.

Comments are closed.