Feeds

Microsoft defends Hotmail's cookie requirement

Log out block 'good for security'

High performance access to file storage

Microsoft has said its new policy of requiring users to accept third party cookies to log out of Hotmail improves security.

We reported the change, which was applied earlier this month, yesterday.

Some readers who contacted El Reg said it raises the risk that accounts will be compromised on public machines, while others who do not allow third party cookies simply found the error message when they tried to log out irritating.

Angus Logan, the product manager for Windows Live ID, told The Register the use of third party cookies has two benefits.

"We write our cookies to multiple domains to give users a good experience with single sign-on, so they can be authenticated to multiple sites (e.g. MSN, Xbox Live, Windows Live, Bing) at once without having to retype their password," he said.

"[It also] helps protect user security, by separating the authentication cookies that are used for different services. If a cookie in one domain is compromised, it means that user assets in another domain won't be compromised."

Microsoft now uses third party cookies - more controversial than first-party ones because they allow tracking across multiple websites and services - for log out to check whether users are logged into more than one of its web services.

"During sign-in, we redirect to the right domain so that the cookies can be written in first-party context," Logan said.

"It's only during sign-out, where we need to clear cookies from potentially many domains that we have login.live.com clearing cookies in other domains via the invisible GIF solution*. We are actually removing cookies in this scenario, but it's interpreted by browsers as using third party cookies."

Hotmail users who don't accept third party cookies must now shut down their browser to log out. ®

*There's more info here.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.