WebMail and HTTPS - How Difficult Can It Be?

Monday, November 22, 2010

Rafal Los


Given the extreme hyper-focus on session theft through packet capture and replay (ahem, FireSheep!) in sites like Twitter and FaceBook, it's interesting to see how difficult it is (or if its even possible) to enable HTTPS throughout a popular, high-traffic site that we use every day. 

I was hoping to be pleasantly surprised that the "big 3" (Microsoft Live Hotmail, Yahoo Webmail, and Google Gmail) had implemented (or at least had published easy-to-do instructions for) HTTPS encryption throughout the site... not just at the landing or login page.

Since Google's GMail enabled HTTPS throughout the site a while back (January 2010), I wondered if Microsoft and Yahoo had followed suit.  I remember that Google had made a big deal about enabling HTTPS throughout their webmail site, but that was a while ago and surely the other of the big 3 had followed suit.  Right?

Well... Microsoft Hotmail, had not. Same no-go on HTTPS for Yahoo mail.

Well, hopefully if it's not enabled by default, it's still possible to manually select that option, right?

As far as I can find, Yahoo! has no option for enabling HTTPS throughout the site.  I created an account (paid account, mind you) signed in, and checked... nothing.  I couldn't find a single option or hint at setting up HTTPS throughout Yahoo! webmail.  That's just shameful.

Now, Microsoft's Hotmail doesn't encrypt the entire site by default... but I am happy to report that I did find an option to encrypt the entire site in the account settings.  There is a catch though, and you're probably not going to like it if you're like me.  Here's how to encrypt your entire webmail session if you're using Microsoft Hotmail:

  1. Once you're logged in, click on your name in the top-right corner, and select Account
  2. From the Account page, in the Other Options section, select Connect with HTTPS
  3. Here you'll want to select "Use HTTPS automatically (please see the note above)"

Wait ...what is this "please see the note above" all about?  Oh ...


Important note: Turning on HTTPS will work for Hotmail over the web, but it will cause errors if you try to access Hotmail through programs like:
  • Outlook Hotmail Connector
  • Windows Live Mail
  • The Windows Live application for Windows Mobile and Nokia

If you only need a temporary HTTPS connection, enter "https" in front of the web address instead of "http".


So ...let me get this straight, since I use the Outlook Hotmail Connector (or really, it could be any of the desktop app-lets) I can't use HTTPS throughout the site?  Ahh... I see the problem now. 

The desktop installs of each of these are built to only use HTTP, so if you set it to force encryption throughout on the webmail site - your desktop plug-in will fail because it won't understand the server forcing it to HTTPS. 

This is one of the unfortunate side-effects of Microsoft being flexible and allowing their webmail to act as a full desktop mail client or plug-in.  In the short-term, I strongly encourage you to check the "Use HTTPS automatically" option... even though your desktop plug-in might break you're still better off until Microsoft rolls out updates to the different plug-ins they support. 

Just stick to the web browser (and HTTPS-only) version of Hotmail ...trust me.

So in summary here's how it looks:

  • [Best] Google Gmail - HTTPS throughout by default...since January 2010
  • [Livable] Microsoft Hotmail - HTTPS throughout not by default, option to select but breaks desktop app-lets
  • [Unacceptable] Yahoo Webmail - HTTPS throughout not by default, in fact not even available as an option
Cross-posted from Follow the White Rabbit
Possibly Related Articles:
Email Encryption Google Yahoo HTTPS
Post Rating I Like this!
Rod MacPherson If you want to use Desktop mail apps with Hotmail and keep encryption there is always SSL/TLS encrypted POP3 and SMTP, but unfortunately, Hotmail doesn't support IMAP like Gmail, so you can't easily synchronize across multiple desktops and web and still keep it all encrypted.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.