Update 2: Microsoft has fixed the bug; all users can now enable HTTPS.
Update: Further testing by EFF International Activist Eva Galperin found that, in addition to Arab countries and Iran, Myanmar, Nigeria, Kazahstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan are also affected.
This morning, a Syrian Hotmail user noted that he could not turn on HTTPS on Hotmail. At closer look, we learned that the user was actually in Jordan, and had his Hotmail location set to Jordan as well…and yet he was still blocked from turning on the “use HTTPS automatically” setting.
Specifically, Microsoft Hotmail’s HTTPS feature states that turning on HTTPS will work for Hotmail over the Web, but will cause errors through external programs. Users can still force HTTPS temporarily, for a given page. We have confirmed that users in some of the countries below are able to force HTTPS (either by typing it in manually or using a program like HTTPS Everywhere, however, we cannot confirm that this works for everyone, or on all pages). In any case, it’s imperative that users have access to encryption all the time.
Replicating the Error
I quickly created a Hotmail account to see if I could replicate the situation; sure enough, when I set my location to the United States, I could turn on HTTPS as a setting, but when I switched to Jordan, I could not. I tested several other Arab countries–Syria, Bahrain, Lebanon, Morocco, Algeria–also no HTTPS. I then tested Guatemala, Israel, and Turkey: all fine. France, German: fine. Iran…no HTTPS.
To replicate or test for the error yourself, log in to your Hotmail account and set your location, then try to turn on HTTPS.
The message received by users with their settings turned to one of the aforementioned countries is: Your Windows Live ID can’t use HTTPS automatically because this feature is not available for your account type.
…in which “account type” = Arab/Iranian.
Incidentally, users in the aforementioned countries are able to easily change their location setting to the United States (or another country) and then successfully turn on HTTPS. It is therefore interesting that, whatever Microsoft’s reasons for barring users from HTTPS, they chose not to enforce by IP address.
By contrast, Yahoo mail does not offer HTTPS, while Gmail enforces HTTPS by default in all countries.
This isn’t the first time Microsoft has acted prejudicially toward Arab users: In 2010, my colleague Helmi Noman at the OpenNet Initiative discovered that Microsoft’s Bing was blocking Arabic-speaking users (e.g., those using the Arabic-language/Arab countries version of Bing) from searching for certain terms, mostly related to sexual content.
For activists, there are two courses of action: Either change your location to a country that will allow you to enforce HTTPS or switch to Gmail or another secure service.
As for Microsoft, we’ve let them know about the situation. It is my hope that this is a mistake and will soon be corrected. I’ll keep you posted.
40 replies on “Microsoft Hotmail: No HTTPS for Arab, Iranian Users”
Good wrap-up. Well done.
[…] who's also an Advocacy contributor, proceeded to investigate the issue further. Her first suspicion was export controls due to sanctions imposed on Syria, but the user stated […]
I think there are two different matters here and we need to separate them.
1. As part of the move to use HTTPS everywhere, there are arrangements by which one can arrange to automatically use HTTPS. For example, if I typed jilliancyork.com in my browser, having it automatically supply https:// instead of http://. With the Windows Live properties, which are not all on the same domain names, there is an erratically-implemented option to provide something similar when Windows Live ID authentication is involved.
2. The second part is to actually have sites *honor* https:// access and do the right thing with good-quality security certificates. These accomplish two things: they provide confidence that the site you’ve reached is the real thing (subject to the quality of the way the certificate is issued) and they establish encryption of the traffic between the site and your browser. Both of these are important, lest you be in an encrypted exchange with an untrustworthy party. (In the case of e-mail, encrypting the message would defeat an untrustworthy interception but it might also not reach the intended party and might also attract unwanted attention.)
It appears that https://hotmail.com works just fine and if it doesn’t the interference is probably between you and hotmail.com (or you may be reaching a different hotmail.com presence in your region of the planet). However, the secure connection only works while you’re on hotmail.com. If you followed any links in hotmail.com to locations in other domains, whether Windows Live or elsewhere, you might no longer have an https:// connection for those accesses.
I think it is important to recognize that “compromises” is the wrong verb here.
The movement of all of the mentioned sites to HTTPS is a new thing. In the past, HTTP has been the uniform way of accessing web sites, including ones that provide services like Hotmail.
The automatic use of HTTP is a new feature, not some removal of capability.
I do think it is important to Microsft to be straight about why this new provision is not uniformly available and how it seems to be capricious in some way. But they didn’t compromise anything.
And, you know, it doesn’t matter how secure the individual connections to Windows Live properties are if the content is made available to third parties, by whatever means. HTTPS, to the degree that it provides privacy, only provides that privacy on the transmission, not on what is held onto by the other party, including an intermediary like Hotmail or Messenger.
Um, with regard to the importance of encryption everywhere, that also means the communicaiton itself needs to be encrypted, because otherwise the intermediary can do whatever is wanted with it, and if the recipient doesn’t use an encrypted connection to receive the message eavesdropping and interception remain possible. HTTPS is important. It is not a silver bullet when the stakes of lost-privacy are high.
Wrong; several users have reported that, recently, they *could* use the setting. It is therefore compromising for MSFT to suddenly take away that setting, and without warning (assuming this is true; I cannot confirm if the setting was previously available).
Nevertheless, HTTPS has been available via Gmail since 2004, though the “always on” setting is relatively new (2009? Can anyone confirm).
Firesheep, and other easy-to-use sniffing programs are fairly new, however, and increasingly popular. There have been an increasing number of reports of man-in-the-middle attacks in the Middle East and North Africa in recent months. I don’t think it’s crazy to expect that social media and email hosts get with the program and ensure security across their platforms; if they don’t, their competitors will.
And yes, I acknowledge that HTTPS is not a silver bullet; however, the primary concern to many users in the Middle East/North Africa right now is not the intermediary, but their own governments/other local entities.
Microsoft enabled the full https feature for Hotmail only last november 2010….
[…] reported by Jillian C. York, the issue was originally thought to only encompass Arabic and Iranian users, but with further […]
[…] reported by Jillian C. York, the issue was originally thought to only encompass Arabic and Iranian users, but with further […]
According to MS, this was a bug that has been fixed:
http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/
[…] reported bу Jillian C. York, thе issue wаѕ originally thουɡht tο οnƖу encompass […]
[…] I blogged that users in Iran, all Arab countries, Burma, Nigeria, and the Central Asian nations had been […]
@Jillian,according to the Register rticle, Microsoft has confirmed that the feature for turning on Windows Live ID automatic HTTP originally working globally. It is now reported to be working globally again. (I can’t test that because I don’t use the feature.)
I notice with concern that this is not the same as blocking HTTP, which apparently did not happen. It is that over-generalization that will probably never disappear because it is so simplistic and dramatic and it appeals to painting a black-and-white picture of the world. It also overlooks that there were simple workarounds all along. (E.g., if Microsoft had blocked HTTP access to its properties, it would not matter what browser was used to access Hotmail.) Pity.
[…] Aus bisher nicht kommunizierten Gründen hat Microsoft für den eigenen eMail-Dienst Hotmail Nutzern in arabischen Ländern einfach mal das https entzogen. Jillian C. York hat heute Morgen erste Hinweise darauf bekommen und im Laufe des Tages die Meldung verifiziert und verbloggt: Microsoft Hotmail: No HTTPS for Arab, Iranian Users. […]
[…] Syrian Hotmail could not turn on (Hypertext Transfer Protocol Secure (HTTPS) on Hotmail and, “he was … blocked from turning on the ‘use HTTPS automatically’ setting.” Eva Galperin, a Electronic Frontier Foundation staffer followed up, and found that the […]
[…] Jillian C. York » Microsoft Hotmail: No HTTPS for Arab, Iranian Users […]
[…] reported by Jillian C. York, the issue was originally thought to only encompass Arabic and Iranian users, but with further […]
[…] move – initially reported by Jillian C. York, who writes for Al Jazeera English – could potentially have allowed government-controlled ISPs to […]
[…] a golden opportunity to download EFF’s HTTPS Everywhere Firefox add-on, this is it. Microsoft appears to have turned off the always-use-HTTPS option in Hotmail for users in more than a dozen countries, […]
[…] from unauthorized access. But late last week, Hotmail users in several countries found the were no longer able to access that security feature, meaning their emailing activities could be easily monitored by their Internet Service Provider, […]
[…] for a golden opportunity to download EFF's HTTPS Everywhere Firefox add-on, this is it. Microsoft appears to have turned off the always-use-HTTPS option in Hotmail for users in more than a dozen countries, […]
[…] appears to have turned off the always-use-HTTPS option in Hotmail for users in more than a dozen countries, […]
[…] Microsoft keeps Arabic users from using HTTPS. Jillian York reported that she and others tested and found that users in Arabic countries, as well as users in Iran, Myanmar, Nigeria, Kazahstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan, could not employ the secure browsing protocol. In response, Microsoft said it was not intentional, but a bug, and they have fixed the bug. […]
[…] izay sady manampy ihany koa amin'ny Fisoloana vava, dia nizotra tamin'ny fandalinana bebe kokoa ny mikasika ity raharaha ity. Ny ahiahiny voalohany dia tany amin'ireo sazy nampiharina tamin' Syria mikasika ny […]
[…] Nigeria, Kazachstan, Oezbekistan, Turkmenistan, Tadzjikistan en Kirgizië. Meerdere gebruikers meldden dat op Twitter en […]
Hello Dear,
my name is jasmine who viewed your profile today so contact me so that i will tell you futher about myself and send you also my picture for you to know me physically. Here is my email please reply me in my mail address, (jasminematins75@yahoo.com)
Bulut sanal sunucu hizmetlerinde öncü olan sunucucozumleri.com’u denemeden karar vermeyin.
Ich bin beeindruckt von der Vielfalt der angebotenen Dienstleistungen auf arztspezialist.de. Die Seite ist benutzerfreundlich und die Ärzte sind sehr erfahren.
Your blog is a constant source of wisdom and positivity Thank you for being a ray of light in a sometimes dark world
Have any favorite blog posts or writers? Share them with us in the comments!
Loving the variety of on-demand content available on IPTV Premium. I can catch up on missed episodes and binge-watch my favorite series!
Your knowledge and expertise on various topics never ceases to amaze me I always learn something new with each post
I like this post, enjoyed this one regards for posting. “To the dull mind all nature is leaden. To the illumined mind the whole world sparkles with light.” by Ralph Waldo Emerson.
Your blog has helped me become a better version of myself Your words have inspired me to make positive changes in my life
Harika içerikleriyle gündemi yakalamak için en iyi adres!
Haberleri en hızlı ve doğru şekilde sunan site, tebrikler!
Keep up the amazing work! Can’t wait to see what you have in store for us next.
Gündemin nabzını tutan en iyi haber sitesi!
I like the efforts you have put in this, thank you for all the great articles.