Hotmail Always-On Encryption Breaks Microsoft’s Own Apps


Oh look, Microsoft is late to the party again? They are finally launching full-session SSL encryption to Hotmail a mere 2 years after Google did the same thing for Gmail.

It looks like the release of FireSheep really has had an impact on web-application vendors due to the amount of mainstream media coverage it got and the sheer number of downloads.

At least they are doing something and I hope more vendors follow and give users an option to force full-session HTTPS connections for all web properties.

For the first time in its 13-year history, Microsoft’s Hotmail comes with the ability to protect email sessions with secure sockets layer encryption from start to finish.

It’s the same always-on encryption Google Mail has offered for more than two years. And it comes with some pretty extreme limitations – namely the inability to protect email that’s downloaded using Microsoft apps including Outlook Hotmail Connector (required to use Outlook with Hotmail) and Windows Live Mail. But to hear Microsoft describe the new feature, you’d think it was a cure for the common cold.

“As you saw, with the recent additions of several security features to Hotmail, including Single-Use codes and new account recovery options, building towards the most secure webmail experience is very importance to us,” a spokeswoman, who asked that her name not be published, wrote in an email. “We will continue to incorporate leading-edge security features to better protect our customers. With today’s addition of full-session SSL encryption to Hotmail, we are delivering even more secure Hotmail sessions.”

The funny thing is, now they have pushed this out…but only for the web. If you are using software to access your Hotmail account (Outlook or Windows Live Mail) it doesn’t work..I wonder if anyone has tried it with Thunderbird yet? Or any other 3rd party apps.

Gmail works flawlessly with TLS/SSL for all apps I’ve tried, I’m not a Hotmail user so I can’t confirm or deny the above. It does give some modicum of security if the users in question only access their Hotmail via the web interface – but if they are using software..they are still vulnerable.


Microsoft’s online services have long played second fiddle to those of Google, and judging from Tuesday’s announcement, security is no exception. Not only is Gmail’s HTTPS encryption turned on by default, it also works flawlessly with a variety of email apps such as Thunderbird, Eudora, and even Microsoft’s Outlook. We asked Microsoft to explain why its own SSL doesn’t work with its own apps, and whether it might work with other email clients, but all we got was the above-quoted marketing fluff.

That’s unfortunate, because unsecured email has been the elephant in the room for more than a decade, making Hotmail users who check their email from public Wi-Fi vulnerable to snoops. For most Reg readers this is old news. But for readers of mainstream publications, it only sank in two weeks ago, with the advent of Firesheep, a Firefox plugin that makes stealing authentication cookies from Facebook, Twitter and, yes, Hotmail, a snap.

Enter Microsoft with a watered-down solution that’s certainly better than nothing. But given the fanfare with which it was announced, one wonders if it will give Hotmail users a false sense of security. And that’s not much of a selling point, now is it?

The bad thing is, if it gives users a false sense of security – as in most cases..that is worse than no security at all. And honestly does the average joe user know what SSL or TLS is? Or that they should use https:// when connecting to sites that require authentication?

Really? I don’t think they do, and nor will they care until some kiddy fires up FireSheep in the local Starbucks and steals all their accounts.

What will they do then? Most likely find this site and e-mail me offering me money to ‘hack’ their account back.

Source: The Register

Posted in: Countermeasures, Cryptography, Networking Hacking

,


Latest Posts:


Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.


Comments are closed.