Hotmail security improves with full-session HTTPS encryption

Hotmail security improves with full-session HTTPS encryption

  • Comments 51
  • Likes

Beginning today, Hotmail is providing you with the option to enhance the security of your entire Hotmail session with HTTPS data encryption (via secure socket layers, or SSL), which is currently used to help secure your Hotmail sign-in. Today’s update joins a series of other recent security updates, with which Hotmail offers advanced security safeguards to help protect your email account from hijackers and fraud.

Also starting today, SkyDrive, Photos, Docs, and Devices pages all automatically use SSL encryption, transferring all their data over HTTPS. By using a connection with advanced security features, you can be even more confident that your account is safer from hijackers, and your private information is less likely to fall into someone else’s hands.

To enable HTTPS for your Hotmail inbox, calendar, and contacts, go to https://account.live.com/ManageSSL. Once you enable this feature, all of your future connections to Hotmail will be delivered over SSL.

Some connections to Hotmail won’t be available if you turn on HTTPS, including:

  • Outlook Hotmail Connector
  • Windows Live Mail
  • The Windows Live application for Windows Mobile (version 6.5 and earlier) and Symbian

We’re constantly working to continue providing great security for our customers, so stay tuned.

Dick Craddock
Group Program Manager
Windows Live Hotmail

51 Comments
You must be logged in to comment. Sign in or Join Now
  • Nater
    147 Posts

    This is not, however there are much bigger issues.

    1.  Still no HTML Mail in many Mobile Exchange Clients due to the version of ActiveSync used for Hotmail.  At least fake the version so that we can get HTML Mail.  Geeze.  This is a showstopper for mobile users.

    2.  Office Web Apps crashing the stock Android Browser.  Can't even download a file because it causes a force close in my browser.  Have you guys even tested that?  It works in Opera but the fonts are so large that you can hardly see anything, and there are buttons/links missing.

    I don't want to edit them online, I just want to download my damn files off SkyDrive.  This is a showstopper.  It's practically unusable from my phone and I'm stuck carrying around TWO PHONES just to get my files off SkyDrive.

    3.  I'd ask again about a Windows Live Messenger client for Android, but you guys seem unable to even make one for your own new mobile platform.  I've given up hope on that...

    Sorry I have to bring my Android woes up yet again, but you have to remember you guys had Windows Mobile 6.x floating around for years and it's complete crap.  I stuck with it as long as I could and I wasn't about to wait 6 months with a WinMo device when there were better alternatives out there.  You guys need to step it up.  I'm on my last straw with Windows Live...

    Gonna just go ahead and reactive my Hosted Exchange account because Hotmail is unusable for me at the moment.  I rather pay for decent email service than be crippled on a free offering.

  • @northbanker - Yes if you enable "Use HTTP Automatically" you'll hit this again.

    You have a few options, and I appreciate that I have no idea if these will work for you or your phone:

    1) Use the touch version of our site from an iPhone\Android\Windows Mobile 7 or other suitably high spec phone

    2) Use Exchange Active Sync

    3) User POP3

    All of these work when you enable SSL and ensure you 'cookies' are protected on the network.

  • Thanks Ben.  Yeah, I figured out about an hour ago that it was cache/cookies-related and now both phones/users can get to Hotmail again.  Phew.

    Now I'm left wondering if I re-enable the "Use HTTPS Automatically" again, am I playing with fire.  Would those phones likely go back to giving that "... doesn't work with HTTPS in Hotmail" error again? (that's my hunch but I'm not exactly sure why, other than they're old phones with old browsers)

  • i get the same error as alpha699, in both firefox (3.6.12) and ie 8 running on Windows 7.

  • @ northbanker - There's data burnt into the cookie that prevents you from login in to our non-Touch mobile UI when you enable SSL. When you disable the option you'll need to clear the cookies on your phone to get back in.

    The cookies on mobile are issued for a lot longer than PC because it's a pain to keep re-entering the username and password. As a result it's quicker to clear them yourself rather than wait for this to automatically happen.

    Ben

  • When did Hotmail HTTPS functionality start to change?

    In the last few weeks (not sure exactly when), on a couple of old phones I support, we started seeing "The browser you're using doesn't work w/ HTTPS in Hotmail".  For both of those users I found that they had the new(?) Option in Hotmail called "Use HTTPS Automatically" enabled, so today I turned that off for both of them, i.e. "Don't use HTTP Automatically".  But they still get the above HTTPS error.

    Hasn't Hotmail been doing HTTPS for the login sequence for years?  If so, why would these users start getting this new HTTPS error just recently?

  • @ Alex Simkin : I know two categories can be created. But I was just making a suggestion for improvement. As you say, " just create two categories". Suppose I create two categories viz 1st :School Friends, 2nd :Office Friends. Now it would not be that easy to see my all friends in totality as I would have to go to two categories. But in case of my suggestion I can see all my friends in one category and after that going to SUB CATEGORY.

  • controlz
    145 Posts

    @ trulyindian - just create two categories

  • I HAVE A SUGGESTION FOR HOTMAIL. BUT I COULD NOT FIND A SITE OF YOURS WHERE I COULD POST MY SUGGESTION SO I AM POSTING IT HERE.It would be a really great feature, if we could create sub category in Contacts. For Eg: I have a category in contacts named "FRIENDS". Now I want to diffrentiate between my school friends and my professional friends. So it would be great if we could add sub category in FRIENDS category viz. School Category and Professional Friends category.

  • avensog
    8 Posts

    Exactly what 7flavor said.

    They probably haven't added it because most users are too clueless on the subject.

    Its also a lot more difficult to add it to their pc applications as apposed to adding encryption to websites.

    I doubt they will add it as live mail etc only extends to users using mac or windows, its just not worthwhile for them to add it.

    They seem to remain hush about the subject which means they are not planning on implementing this now or near the future.

  • 7flavor
    352 Posts

    It is equally important to make sure Live Mail, Live Photo Gallery and Live Writer also support HTTPS or equivalent secure protocols (secure POP3, secure IMAP, FTPS/SFTP. Maybe some future day?

  • controlz
    145 Posts

    @ Ben Vincent - thanks for the info.

  • jvd897
    8 Posts

    @guest: The problem is that Exchange ActiveSync only works on mobile devices. If you want to check your Hotmail with any other email client, it has to be compatible with Microsoft's proprietary sync protocols: so you're limited to Microsoft's own clients, such as Windows Live Mail, the Outlook Connector, etc. You can't use clients like Thunderbird or even Windows Mail/Outlook Express unless you sync via POP3, which is horribly limited. And this means you're stuck with POP3 if you use Mac or Linux.

  • guest
    8 Posts

    First: I'm optimistic that SSL will work in the future with WLM and other clients with which it doesn't work right now.

    Second: I will never understand what is the point with IMAP if you have active sync, what syncs not only your folders but calendar, contacts... stop complaining about not having IMAP! ;)

  • logos
    16 Posts

    getting invalid certificate warnings in both IE9  and Firefox, with the ability to unblock content in IE9, while the whole interface is completely "broken" in Firefox, while running an ssl session with livemail. Not mentioning that once enabled, Windows Live Mail client doesn't work anymore (obviously with DeltaSync)... but there's a warning on the MS ssl setting page, so I won't complain. Hope next step is IMAP (as, I might be wrong, but I don't think DeltaSync could ever run on ssl). Adding that to use SSL, IMAP as well as POP don't depend on whether or not the web interface is ssl secured anyway.

  • @jtwright - I wanted to get some more details on the Custom Domain problem. Can you send me a private message on this site with a contact email address? I use a custom domain and have not had a problem throughout our development of SSL, so I'm interested to see what's going on.

  • @jmv2009 - The reason for the 'delay' is the caching of security tokens that is done by the clients and the browser. In the case of the browser we force a refresh of the token (cookie) when you change the setting. But the client's token remains valid until it's automatically refreshed, which can take up to a few hours based on when it was last refreshed. The only way to force the client to refresh is to remove the account and re-add it.

  • @Alex Simkin - Family Safety Child accounts can't switch to SSL because it would break the ability of the Family Safety software to do it's job.

  • @ Ben Vincent - Thanks! I just enabled it :) guess I'll be using SSL hotmail on my Windows Phone after all.

  • controlz
    145 Posts

    It doesn't work with Family Safety managed accounts. :-( Why?

  • langware
    154 Posts

    This morning (Wed, Nov 10), a moderator in The Windows Live Solution Center, posted this (in response to a question about full session SSL in Hotmail) ....

    "Yes, the SSL feature is currently being rolled out but it's not yet complete.  This is the reason why we can't give further info as we're still waiting for the completion of this update."

    Here's a link to the thread ...

    windowslivehelp.com/thread.aspx

    What is meant by "it's not yet complete", and why haven't you given the moderators enough information so that they can inform your customers about the status of the roll out? Your article implies that the roll out is complete (yes, you clearly state the current restrictions on full session SSL, but you do imply that the roll out of the initial version is complete). However, it appears that either the moderators on The Windows Live Solution Center are not fully informed, or the rollout is not complete.

    Can you clear up this issue?

  • jmv2009
    2 Posts

    About the error 3202, mentioned earlier: It indeed resolved itself. Took hours though.

  • 'Your Windows Live ID can't use HTTPS automatically because this feature is not available for your account type.'

    What are the restrictions on account types?

    Thanks

  • Aura
    2 Posts

    There's only thing that can be said:

    Better late than never.

    Still, from what I read here in the comments and around the Internet, more work needs to be done for MS to really enter the 21st century in terms of secure emai.

    Oh well, it's a start.

  • jmv2009
    2 Posts

    I set the HTTPS security. But windows live mail still worked.

    Then this morning, It stopped working.

    I unset the HTTPS security.

    I still doesn't work anymore. Seems like the HTTPS setting has to work itself through the system for many hours?

    I hope it will resolve itself

    *******************************

    Actual error message in windows live mail:

    Unable to send or receive messages for the Hotmail (**) account.

    Server Error: 3202

    Server: 'mail.services.live.com/.../Sync.aspx&

    Windows Live Mail Error ID: 0x8DE00005

  • I am having the same problem as Chris.  I have a WL Custom Domain, but no matter which URL I use to get to my email, I get page cannot be displayed.  I have tried, mail.mydomain.com, hotmail.com, and mail.live.com.  I tried each of these with and without https. These all worked before I made the switch to SSL.

  • So I have enabled the Automatic SSL feature.  Now, everytime I go to access my mailbox from IE9 or Firefox 4 Beta 6, I get a the "IE Cannot displaythe webpage", and FireFox displays something similar.  I have mulptiple systems that have this very same problem.  If I disable Automatic SSL, I can access my mailbox (via plain unsecure HTTP).  If I manually try https://mail.live.com, I get the same error messages above.  The only difference is HTTPS.  How can this be fixed or resolved?

  • avensog
    8 Posts

    nice work on proxifying the ads, I always wondered how you were going to go about allowing ssl encryption to work properly with your ads.  That was the reason why full-ssl encryption took so long wasn't it :p

    By the way, I created a new account and it does not seem that all your clusters have been updated yet, because I cannot enabled ssl, I get the error message "this feature is not available..".

    I noticed the default encryption for ssl is rc4, any chance AES will be supported as a non-default encryption type?  Gmail allows this.

  • avensog
    8 Posts

    The concept used in firesheep has been around for MANY years.

    Its called a man in the middle attack:

    en.wikipedia.org/.../Man-in-the-middle_attack

    Firesheep just made it very easy to hijack a user account that even the most computer illiterate moron can use.

  • Good move by WIndows Live! Good to see that Microsoft responded to the HTTPS/SSL issues raised by Firesheep and go ahead to protect their user from attack. Thank you and keep up the good work!

  • @All – Calendar is now fully functional over SSL (for users who opt-in).

    We are aware of an issue where the link from Hotmail to Calendar results in an error. This doesn’t break the SSL protection and can be worked around by connecting directly to https://calendar.live.com. We know exactly what the issue is and will be resolving it shortly.

    @Adrian_Nethercott – Thank you for reporting this error, it helped us clarify what the issue was.

  • @george_c_ou - Whilst it's possible to detect the client type, it's something that can easily be spoofed by a hacker. To ensure full protection of your account this is one of a number of attack vectors we had to mitigate.

  • @probablyclueless - Thanks for the feedback, we worked hard to ensure we had a great SSL experience from day one. We're proxying all content from 3rd parties to ensure you get SSL throughout Hotmail.

  • @James Manes - If you're using WinMo 7 then you can turn on SSL. WinMo7 uses EAS which runs over SSL.

  • I'll switch to this after it is fixed for mobile.. I want everything to work on my Windows Phone 7.

  • I've permanently turned on SSL since I don't use Windows Live Mail or a mobile client.  It works fine for me, except clicking on Hotmail > Calendar gives me a "There is a problem with this website's security certificate." error.  It works if I click "Continue Anyway".  I'm also using Internet Explorer 9 Beta and Windows 7.

  • @belami  When you say Windows Live Calendar stopped working, what are you seeing?  I am running IE 9 on Windows 7 and am able to use Windows Live Calendar and Hotmail with https, either for a session or by turning it on by default.

  • belami
    1 Posts

    I turned it on and Windows Live Calendar stopped working for me. I had to turn it off so I could use Calendar. You should look into this glitch. I am running IE9 on Windows 7.

  • Why not automatically detect the client type as IE, Firefox, Chrome on PC or Mac and enable HTTPS automatically and not break Connector, Live Mail, and Mobile/Symbian?

    Better yet, why not fix those clients to fully support SSL?  Might be OK to leave Mobile unencrypted if it's going over 3G.

  • Thanks for the always on https! Are there any plans to support having https turned on by default and still support Windows Live Mail? I'm a big fan of Windows Live Mail but I also want https always on.

  • Is Hotmail team doing this because of this? :)

    www.digitaltrends.com/.../facebook-and-twitter-fail-basic-security-test

  • Yes, this is breaking the calendar and several other pages. Oh, you also don't seem to be able to get rid of the "nag" message about turning this on. It's a great step, but it's only 1/2 done, especially since it also breaks Outlook and Windows Live Mail.

  • hdw
    25 Posts

    This is moslty good . But if it kills functionality I don't think I'll be turning on HTTPS for the moment. I hope you can get the issue resolved qiuckly ( espcially Live Mail)

  • I love that everything gets encrypted with Hotmail, unlike Gmail. Well done!

  • I agree with GraphiteCube... But it also disables Windows Live Home and most of settings pages... I had to disable it because it only let me use Hotmail

  • Earlier comments from Microsoft people on this blog, indicated that DeltaSync clients would support SSL.  When is that happening?

    What is the official starting url for temporary https access, is it https://mail.live.com?

    Is there any way to bypass "Trying to use Hotmail with HTTPS?" prompt after a temporary https login?  Why is it needed on every login?  Please add an option to turn it off, if one doesn't exist.

  • JimJim
    4 Posts

    This is good step. Let's see how it goes and make sure all is working.

    However, it won't be useful unless it is, at some point, made the default option for users. The average user doesn't  tweak any settings let alone changing a security setting they don't understand.

    And thus most Hotmail users will be left unprotected with their private emails able to be easily read by others while using Public Wifi. Users expect and deserve this to be secured - by default.

  • jvd897
    8 Posts

    Fantastic news. When will the Outlook Connector, Windows Live Mail, and the Mobile clients be updated to work with SSL?

  • I like the feature, but I found that after HTTPS encryption was enabled, I couldn't access Windows Live Calendar. Is it a bug or something else related to my browser (BTW, I am using IE 8 on Vista)? Right now I need to access Hotmail without HTTPS encryption in order to access my calendar.

  • Can't imagine what prompted this! ;)

    Regardless this is a good step for any service to take.  I don't use Hotmail myself (full disclosure: Gmail user here) but I'm sure this will help lots of your users.  Though you should definitely make it the default after it's been in use for a bit and has been proven stable, and you can get those other connections working.