Microsoft Hotmail: No HTTPS for Arab, Iranian Users
Update 2: Microsoft has fixed the bug; all users can now enable HTTPS.
Update: Further testing by EFF International Activist Eva Galperin found that, in addition to Arab countries and Iran, Myanmar, Nigeria, Kazahstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan are also affected.
This morning, a Syrian Hotmail user noted that he could not turn on HTTPS on Hotmail. At closer look, we learned that the user was actually in Jordan, and had his Hotmail location set to Jordan as well…and yet he was still blocked from turning on the “use HTTPS automatically” setting.
Specifically, Microsoft Hotmail’s HTTPS feature states that turning on HTTPS will work for Hotmail over the Web, but will cause errors through external programs. Users can still force HTTPS temporarily, for a given page. We have confirmed that users in some of the countries below are able to force HTTPS (either by typing it in manually or using a program like HTTPS Everywhere, however, we cannot confirm that this works for everyone, or on all pages). In any case, it’s imperative that users have access to encryption all the time.
Replicating the Error
I quickly created a Hotmail account to see if I could replicate the situation; sure enough, when I set my location to the United States, I could turn on HTTPS as a setting, but when I switched to Jordan, I could not. I tested several other Arab countries–Syria, Bahrain, Lebanon, Morocco, Algeria–also no HTTPS. I then tested Guatemala, Israel, and Turkey: all fine. France, German: fine. Iran…no HTTPS.
To replicate or test for the error yourself, log in to your Hotmail account and set your location, then try to turn on HTTPS.
The message received by users with their settings turned to one of the aforementioned countries is: Your Windows Live ID can’t use HTTPS automatically because this feature is not available for your account type.
…in which “account type” = Arab/Iranian.
Incidentally, users in the aforementioned countries are able to easily change their location setting to the United States (or another country) and then successfully turn on HTTPS. It is therefore interesting that, whatever Microsoft’s reasons for barring users from HTTPS, they chose not to enforce by IP address.
By contrast, Yahoo mail does not offer HTTPS, while Gmail enforces HTTPS by default in all countries.
This isn’t the first time Microsoft has acted prejudicially toward Arab users: In 2010, my colleague Helmi Noman at the OpenNet Initiative discovered that Microsoft’s Bing was blocking Arabic-speaking users (e.g., those using the Arabic-language/Arab countries version of Bing) from searching for certain terms, mostly related to sexual content.
For activists, there are two courses of action: Either change your location to a country that will allow you to enforce HTTPS or switch to Gmail or another secure service.
As for Microsoft, we’ve let them know about the situation. It is my hope that this is a mistake and will soon be corrected. I’ll keep you posted.
Tweet
25.03.2011fubarrossi
Good wrap-up. Well done.
25.03.2011orcmid
I think there are two different matters here and we need to separate them.
1. As part of the move to use HTTPS everywhere, there are arrangements by which one can arrange to automatically use HTTPS. For example, if I typed jilliancyork.com in my browser, having it automatically supply https:// instead of http://. With the Windows Live properties, which are not all on the same domain names, there is an erratically-implemented option to provide something similar when Windows Live ID authentication is involved.
2. The second part is to actually have sites *honor* https:// access and do the right thing with good-quality security certificates. These accomplish two things: they provide confidence that the site you’ve reached is the real thing (subject to the quality of the way the certificate is issued) and they establish encryption of the traffic between the site and your browser. Both of these are important, lest you be in an encrypted exchange with an untrustworthy party. (In the case of e-mail, encrypting the message would defeat an untrustworthy interception but it might also not reach the intended party and might also attract unwanted attention.)
It appears that https://hotmail.com works just fine and if it doesn’t the interference is probably between you and hotmail.com (or you may be reaching a different hotmail.com presence in your region of the planet). However, the secure connection only works while you’re on hotmail.com. If you followed any links in hotmail.com to locations in other domains, whether Windows Live or elsewhere, you might no longer have an https:// connection for those accesses.
25.03.2011orcmid
I think it is important to recognize that “compromises” is the wrong verb here.
The movement of all of the mentioned sites to HTTPS is a new thing. In the past, HTTP has been the uniform way of accessing web sites, including ones that provide services like Hotmail.
The automatic use of HTTP is a new feature, not some removal of capability.
I do think it is important to Microsft to be straight about why this new provision is not uniformly available and how it seems to be capricious in some way. But they didn’t compromise anything.
And, you know, it doesn’t matter how secure the individual connections to Windows Live properties are if the content is made available to third parties, by whatever means. HTTPS, to the degree that it provides privacy, only provides that privacy on the transmission, not on what is held onto by the other party, including an intermediary like Hotmail or Messenger.
25.03.2011orcmid
Um, with regard to the importance of encryption everywhere, that also means the communicaiton itself needs to be encrypted, because otherwise the intermediary can do whatever is wanted with it, and if the recipient doesn’t use an encrypted connection to receive the message eavesdropping and interception remain possible. HTTPS is important. It is not a silver bullet when the stakes of lost-privacy are high.
25.03.2011Jillian
Wrong; several users have reported that, recently, they *could* use the setting. It is therefore compromising for MSFT to suddenly take away that setting, and without warning (assuming this is true; I cannot confirm if the setting was previously available).
Nevertheless, HTTPS has been available via Gmail since 2004, though the “always on” setting is relatively new (2009? Can anyone confirm).
Firesheep, and other easy-to-use sniffing programs are fairly new, however, and increasingly popular. There have been an increasing number of reports of man-in-the-middle attacks in the Middle East and North Africa in recent months. I don’t think it’s crazy to expect that social media and email hosts get with the program and ensure security across their platforms; if they don’t, their competitors will.
15.04.2011jasmine
Hello Dear,
my name is jasmine who viewed your profile today so contact me so that i will tell you futher about myself and send you also my picture for you to know me physically. Here is my email please reply me in my mail address, (jasminematins75@yahoo.com)
25.03.2011Jillian
And yes, I acknowledge that HTTPS is not a silver bullet; however, the primary concern to many users in the Middle East/North Africa right now is not the intermediary, but their own governments/other local entities.
25.03.2011nicoladiaz
Microsoft enabled the full https feature for Hotmail only last november 2010….
26.03.2011h4rm0ny
According to MS, this was a bug that has been fixed:
http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/
26.03.2011orcmid
@Jillian,according to the Register rticle, Microsoft has confirmed that the feature for turning on Windows Live ID automatic HTTP originally working globally. It is now reported to be working globally again. (I can’t test that because I don’t use the feature.)
I notice with concern that this is not the same as blocking HTTP, which apparently did not happen. It is that over-generalization that will probably never disappear because it is so simplistic and dramatic and it appeals to painting a black-and-white picture of the world. It also overlooks that there were simple workarounds all along. (E.g., if Microsoft had blocked HTTP access to its properties, it would not matter what browser was used to access Hotmail.) Pity.