Feeds

Hotmail always-on crypto breaks Microsoft's own apps

Redmond's answer to Firesheep not ready for prime time

SANS - Survey on application security programs

For the first time in its 13-year history, Microsoft's Hotmail comes with the ability to protect email sessions with secure sockets layer encryption from start to finish.

It's the same always-on encryption Google Mail has offered for more than two years. And it comes with some pretty extreme limitations – namely the inability to protect email that's downloaded using Microsoft apps including Outlook Hotmail Connector (required to use Outlook with Hotmail) and Windows Live Mail. But to hear Microsoft describe the new feature, you'd think it was a cure for the common cold.

“As you saw, with the recent additions of several security features to Hotmail, including Single-Use codes and new account recovery options, building towards the most secure webmail experience is very importance to us,” a spokeswoman, who asked that her name not be published, wrote in an email. “We will continue to incorporate leading-edge security features to better protect our customers. With today's addition of full-session SSL encryption to Hotmail, we are delivering even more secure Hotmail sessions.”

Microsoft's online services have long played second fiddle to those of Google, and judging from Tuesday's announcement, security is no exception. Not only is Gmail's HTTPS encryption turned on by default, it also works flawlessly with a variety of email apps such as Thunderbird, Eudora, and even Microsoft's Outlook. We asked Microsoft to explain why its own SSL doesn't work with its own apps, and whether it might work with other email clients, but all we got was the above-quoted marketing fluff.

That's unfortunate, because unsecured email has been the elephant in the room for more than a decade, making Hotmail users who check their email from public Wi-Fi vulnerable to snoops. For most Reg readers this is old news. But for readers of mainstream publications, it only sank in two weeks ago, with the advent of Firesheep, a Firefox plugin that makes stealing authentication cookies from Facebook, Twitter and, yes, Hotmail, a snap.

Enter Microsoft with a watered-down solution that's certainly better than nothing. But given the fanfare with which it was announced, one wonders if it will give Hotmail users a false sense of security. And that's not much of a selling point, now is it? ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.