Hotmail Always-On Encryption Breaks Microsoft’s Own Apps


Oh look, Microsoft is late to the party again? They are finally launching full-session SSL encryption to Hotmail a mere 2 years after Google did the same thing for Gmail.

It looks like the release of FireSheep really has had an impact on web-application vendors due to the amount of mainstream media coverage it got and the sheer number of downloads.

At least they are doing something and I hope more vendors follow and give users an option to force full-session HTTPS connections for all web properties.

For the first time in its 13-year history, Microsoft’s Hotmail comes with the ability to protect email sessions with secure sockets layer encryption from start to finish.

It’s the same always-on encryption Google Mail has offered for more than two years. And it comes with some pretty extreme limitations – namely the inability to protect email that’s downloaded using Microsoft apps including Outlook Hotmail Connector (required to use Outlook with Hotmail) and Windows Live Mail. But to hear Microsoft describe the new feature, you’d think it was a cure for the common cold.

“As you saw, with the recent additions of several security features to Hotmail, including Single-Use codes and new account recovery options, building towards the most secure webmail experience is very importance to us,” a spokeswoman, who asked that her name not be published, wrote in an email. “We will continue to incorporate leading-edge security features to better protect our customers. With today’s addition of full-session SSL encryption to Hotmail, we are delivering even more secure Hotmail sessions.”

The funny thing is, now they have pushed this out…but only for the web. If you are using software to access your Hotmail account (Outlook or Windows Live Mail) it doesn’t work..I wonder if anyone has tried it with Thunderbird yet? Or any other 3rd party apps.

Gmail works flawlessly with TLS/SSL for all apps I’ve tried, I’m not a Hotmail user so I can’t confirm or deny the above. It does give some modicum of security if the users in question only access their Hotmail via the web interface – but if they are using software..they are still vulnerable.


Microsoft’s online services have long played second fiddle to those of Google, and judging from Tuesday’s announcement, security is no exception. Not only is Gmail’s HTTPS encryption turned on by default, it also works flawlessly with a variety of email apps such as Thunderbird, Eudora, and even Microsoft’s Outlook. We asked Microsoft to explain why its own SSL doesn’t work with its own apps, and whether it might work with other email clients, but all we got was the above-quoted marketing fluff.

That’s unfortunate, because unsecured email has been the elephant in the room for more than a decade, making Hotmail users who check their email from public Wi-Fi vulnerable to snoops. For most Reg readers this is old news. But for readers of mainstream publications, it only sank in two weeks ago, with the advent of Firesheep, a Firefox plugin that makes stealing authentication cookies from Facebook, Twitter and, yes, Hotmail, a snap.

Enter Microsoft with a watered-down solution that’s certainly better than nothing. But given the fanfare with which it was announced, one wonders if it will give Hotmail users a false sense of security. And that’s not much of a selling point, now is it?

The bad thing is, if it gives users a false sense of security – as in most cases..that is worse than no security at all. And honestly does the average joe user know what SSL or TLS is? Or that they should use https:// when connecting to sites that require authentication?

Really? I don’t think they do, and nor will they care until some kiddy fires up FireSheep in the local Starbucks and steals all their accounts.

What will they do then? Most likely find this site and e-mail me offering me money to ‘hack’ their account back.

Source: The Register

Posted in: Countermeasures, Cryptography, Networking Hacking Tools

,


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


Comments are closed.