Hotmail always-on crypto breaks Microsoft's own apps
Redmond's answer to Firesheep not ready for prime time
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
For the first time in its 13-year history, Microsoft's Hotmail comes with the ability to protect email sessions with secure sockets layer encryption from start to finish.
It's the same always-on encryption Google Mail has offered for more than two years. And it comes with some pretty extreme limitations – namely the inability to protect email that's downloaded using Microsoft apps including Outlook Hotmail Connector (required to use Outlook with Hotmail) and Windows Live Mail. But to hear Microsoft describe the new feature, you'd think it was a cure for the common cold.
“As you saw, with the recent additions of several security features to Hotmail, including Single-Use codes and new account recovery options, building towards the most secure webmail experience is very importance to us,” a spokeswoman, who asked that her name not be published, wrote in an email. “We will continue to incorporate leading-edge security features to better protect our customers. With today's addition of full-session SSL encryption to Hotmail, we are delivering even more secure Hotmail sessions.”
Microsoft's online services have long played second fiddle to those of Google, and judging from Tuesday's announcement, security is no exception. Not only is Gmail's HTTPS encryption turned on by default, it also works flawlessly with a variety of email apps such as Thunderbird, Eudora, and even Microsoft's Outlook. We asked Microsoft to explain why its own SSL doesn't work with its own apps, and whether it might work with other email clients, but all we got was the above-quoted marketing fluff.
That's unfortunate, because unsecured email has been the elephant in the room for more than a decade, making Hotmail users who check their email from public Wi-Fi vulnerable to snoops. For most Reg readers this is old news. But for readers of mainstream publications, it only sank in two weeks ago, with the advent of Firesheep, a Firefox plugin that makes stealing authentication cookies from Facebook, Twitter and, yes, Hotmail, a snap.
Enter Microsoft with a watered-down solution that's certainly better than nothing. But given the fanfare with which it was announced, one wonders if it will give Hotmail users a false sense of security. And that's not much of a selling point, now is it? ®
COMMENTS
Standards?
Have they heard of them in Redmond?
If Hotmail and their desktop clients simply used good ol' IMAP and SMTP spiced with a little SSL/TLS, it would Just Work.
Of course that's the problem with Gmail: It's just so damn good and convenient.
Every time I start to worry about the privacy issues with having Google know as much as they do about my virtual comings and goings, they seem to add just one more neat little feature to Gmail...
Oh, I can quit anytime I want to. Really.
(Where's the crack addict icon.)
hmmm...
----
one wonders if it will give Hotmail users a false sense of security.
----
MS software giving (clueless) users a false sense of security? Say it ain't so!?
And it bloody doesn't work
As a paying customer I get "Your Windows Live ID can't use HTTPS automatically because this feature is not available for your account type.".
Then genius of this error message is just too much. Not guide on why I've got a unsupported account type or what can be done to help me. Just a big fat sod off.
Add that to a password which can't accept non-numeric characters and you have security and user experience designed by idiots I might finally have to get off my ass and get a decent email account. Ho hum...
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
