Three weeks after researchers unveiled a plugin that allows Firefox Web browser users to snoop on the Webmail and social networking sessions of those around them, Microsoft has announced an option that will allow users of its Hotmail Web e-mail program to browse securely.
The company said on Tuesday that it was adding full session SSL encryption for Hotmail. Users of that service can enable HTTPS for their messages, calendar and contacts using a Web based interface. Microsoft had previously used SSL encryption only to secure connections at login, and first announced that it would deliver full session encryption in late September.
Related Web based services, including SkyDrive, Photos, Docs and Devices will all use SSL automatically from now on, according to the post on the Windows Team Blog, which was attributed to Dick Craddock, Group Program Manager for Windows Live Hotmail.
The insecurity of Web sessions has long been a bone of contention between security researchers and Web 2.0 firms, who have preferred accessibility and feature development over security. The demonstration of FireSheep at the ToorCon Conference in San Diego in late October changed that.
The plugin, developed by independent researcher Eric Butler and Ian Gallagher of Security Innovation, monitors unencrypted wireless networks for Web 2.0 sessions then allow the FireSheep user to impersonate the authenticated user, effectively snooping on his or her session in an attack known as “session hijacking” or “sidejacking.” Using SSL encrypted HTTP prevents others from being able to view the content of a Web session, even on an insecure wireless network.
The demonstration unleashed a flood of news coverage, controversy and interest in the plugin. FireSheep has been downloaded more than 600,000 times since it was unveiled at ToorCon. That coverage put pressure on Web application firms to offer an option for users to securely connect to and interact with their Web sites. At the time of the demonstration, Google was one of the few companies that used SSL by default for its GMAIL Web based e-mail.
While Microsoft’s full session encryption had been in the works for some time, it is expected that other organizations will be rolling out secure interfaces in the weeks ahead, as well.
As is often the case, however, security comes at a cost. The blog post notes that turning on SSL will break the Outlook Hotmail Connector, as well as integration with Windows Live Mail and the Windows Live application for mobile devices using Windows Mobile (Version 6.5 and earlier) and Symbian.