Hotmail Always-On Encryption Breaks Microsoft’s Own Apps


Oh look, Microsoft is late to the party again? They are finally launching full-session SSL encryption to Hotmail a mere 2 years after Google did the same thing for Gmail.

It looks like the release of FireSheep really has had an impact on web-application vendors due to the amount of mainstream media coverage it got and the sheer number of downloads.

At least they are doing something and I hope more vendors follow and give users an option to force full-session HTTPS connections for all web properties.

For the first time in its 13-year history, Microsoft’s Hotmail comes with the ability to protect email sessions with secure sockets layer encryption from start to finish.

It’s the same always-on encryption Google Mail has offered for more than two years. And it comes with some pretty extreme limitations – namely the inability to protect email that’s downloaded using Microsoft apps including Outlook Hotmail Connector (required to use Outlook with Hotmail) and Windows Live Mail. But to hear Microsoft describe the new feature, you’d think it was a cure for the common cold.

“As you saw, with the recent additions of several security features to Hotmail, including Single-Use codes and new account recovery options, building towards the most secure webmail experience is very importance to us,” a spokeswoman, who asked that her name not be published, wrote in an email. “We will continue to incorporate leading-edge security features to better protect our customers. With today’s addition of full-session SSL encryption to Hotmail, we are delivering even more secure Hotmail sessions.”

The funny thing is, now they have pushed this out…but only for the web. If you are using software to access your Hotmail account (Outlook or Windows Live Mail) it doesn’t work..I wonder if anyone has tried it with Thunderbird yet? Or any other 3rd party apps.

Gmail works flawlessly with TLS/SSL for all apps I’ve tried, I’m not a Hotmail user so I can’t confirm or deny the above. It does give some modicum of security if the users in question only access their Hotmail via the web interface – but if they are using software..they are still vulnerable.


Microsoft’s online services have long played second fiddle to those of Google, and judging from Tuesday’s announcement, security is no exception. Not only is Gmail’s HTTPS encryption turned on by default, it also works flawlessly with a variety of email apps such as Thunderbird, Eudora, and even Microsoft’s Outlook. We asked Microsoft to explain why its own SSL doesn’t work with its own apps, and whether it might work with other email clients, but all we got was the above-quoted marketing fluff.

That’s unfortunate, because unsecured email has been the elephant in the room for more than a decade, making Hotmail users who check their email from public Wi-Fi vulnerable to snoops. For most Reg readers this is old news. But for readers of mainstream publications, it only sank in two weeks ago, with the advent of Firesheep, a Firefox plugin that makes stealing authentication cookies from Facebook, Twitter and, yes, Hotmail, a snap.

Enter Microsoft with a watered-down solution that’s certainly better than nothing. But given the fanfare with which it was announced, one wonders if it will give Hotmail users a false sense of security. And that’s not much of a selling point, now is it?

The bad thing is, if it gives users a false sense of security – as in most cases..that is worse than no security at all. And honestly does the average joe user know what SSL or TLS is? Or that they should use https:// when connecting to sites that require authentication?

Really? I don’t think they do, and nor will they care until some kiddy fires up FireSheep in the local Starbucks and steals all their accounts.

What will they do then? Most likely find this site and e-mail me offering me money to ‘hack’ their account back.

Source: The Register

Posted in: Countermeasures, Cryptography, Networking Hacking Tools

,


Latest Posts:


HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.
trident - Automated Password Spraying Tool trident – Automated Password Spraying Tool
The Trident project is an automated password spraying tool developed to be deployed on multiple cloud providers and provides advanced options around scheduling
tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.


Comments are closed.