Microsoft promises fix to Hotmail security this month
Update 11/9/2010 – Microsoft ‘fixes’ Hotmail with an unusable fix
UPDATE 11/4/2010 – Unfortunately, Microsoft confirmed that SSL will be optional and not the default setting which means the vast majority of customers will not be running SSL. Hopefully they’ll at least fix the cookie theft issue by default, and then consider the almost nonexistent overhead of maintaining SSL browsing for all Hotmail customers. All the hard work of setting up the SSL session during the initial authentication phase was already done.
I asked Microsoft for a response to their failing score on my “Online services security report card” for their Hotmail service and got the response that Hotmail customers were hoping to hear. Microsoft will fix the problem and enable full-time SSL browsing for Hotmail this month. Here’s the official response I got from Microsoft.
“Whenever people access the web through unsecured wireless networks they run the risk of exploits. To protect against these exploits and keep passwords secure we encrypt all connections at login with HTTPS (SSL encryption), and have recently released new security features like Single-Use codes, which allow Windows Live customers to login with a one-time password and keep their normal password secure on public networks. In addition to protecting customers information at login, in November we will enable Hotmail customers to maintain full-session SSL encryption during their entire Hotmail session, which mitigates cookie-stealing exploits. While we are integrating several security features into Windows Live to help protect our customers, we always recommend that our customers use secure internet connections when browsing the web.” – Microsoft Spokesperson
Full SSL costs almost nothing
What I’m more curious about is whether Microsoft will implement SSL by default like Google Gmail. I’ve argued for many years that full time SSL encryption has negligible server and network overhead and Google confirmed this on their production Gmail environment this year. Google engineers wrote:
“In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.“
Now that Google has made public their experience with full time SSL on Gmail (which got the only “A” on my online report card), I hope the rest of the industry will finally put the myth that SSL is too expensive to bed and do the right thing.
Facebook’s response to Forbes
Facebook which absolutely flunked my security report card responded to Forbes’ Kashmir Hill offers some hope that their will be a fix within the coming months, but nothing definitive and offered some mistaken defenses of Facebook security. Facebook’s spokesperson claimed that Facebook always “encrypts” the login page. That’s true but it’s totally inadequate because good security requires strong encryption and strong authentication. Facebook’s login page does not authenticate itself to the user because it doesn’t default to HTTPS which helps the user determine if they’re really visiting Facebook or some imitator’s site. The U.S. banking industry mistakenly believed that encryption alone was sufficient in 2006 but finally deployed proper server authentication to the user a few years later. Most other online services have figured this out except for Facebook and Twitter.