Microsoft turns off HTTPS protection for Hotmail in Arab countries
Microsoft denies intentional anti-privacy move, fixes error
By Jon Brodkin | Network World US | Published: 15:42, 29 March 2011
Microsoft says it did not "intentionally limit" access to Hotmail's HTTPS encryption service in foreign countries where freedom of expression is under attack.
The Electronic Frontier Foundation said Friday that "Microsoft appears to have turned off the always-use-HTTPS option in Hotmail for users in more than a dozen countries," calling the move "deeply disturbing."
"For Microsoft to take such an enormous step backwards, undermining the security of Hotmail users in countries where freedom of expression is under attack and secure communication is especially important, is deeply disturbing," the EFF said.
Related Articles on Techworld
Microsoft fixed the error in its email service later in the day Friday and denied it was an intentional move to limit privacy in any particular region of the world.
"We are aware of an issue that impacted some Hotmail users trying to enable HTTPS," Microsoft said. "That issue has now been resolved. Account security is a top priority for Hotmail and our support for HTTPS is worldwide, we do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world. We apologize for any inconvenience to our customers that this may have caused."
Syria, Morocco, Bahrain, Iran, Lebanon, Jordan and Algeria, countries where there have been recent anti-government protests, were among the affected countries, according to the Electronic Frontier Foundation. The HTTPS option had also been disabled in Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan and Kyrgyzstan.
Microsoft has been offering HTTPS encryption for Hotmail since late 2010.
But until the recent problem was fixed, users in affected countries were receiving an error message stating, "Your Windows Live ID can't use HTTPS automatically because this feature is not available for your account type," the EFF said. The organisation recommended that users fix the problem by changing their home country to the United States or another country unaffected by the HTTPS outage.
"Hotmail users in the affected countries can turn the always-use-HTTPS feature back on by changing the country in their profile to any of the countries in which this feature has not been disabled, such as the United States, Germany, France, Israel or Turkey," the EFF said.
Gmail provides HTTPS by default during all communications, whereas Yahoo Mail seems to use HTTPS during login, but not while viewing and sending email.
Microsoft's HTTPS support for Hotmail was designed to "give users the option of always encrypting their webmail traffic and protecting their sensitive communications from malicious hackers using tools such as Firesheep, and hostile governments eavesdropping on journalists and activists," according to the EFF.