MS Removes HTTPS From Hotmail For Troubled Nations 147
An anonymous reader writes "Microsoft has removed HTTPS from Hotmail for many US-embargoed or otherwise troubled countries. The current list of countries for which they no longer enable HTTPS is known to include Bahrain, Morocco, Algeria, Syria, Sudan, Iran, Lebanon, Jordan, Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan. Journalists and others whose lives may be in danger due oppressive net monitoring in those countries may wish to use HTTPS everywhere and are also encouraged to migrate to non-Microsoft email providers, like Yahoo and Google." Update: 03/26 17:08 GMT by T : Reader Steve Gula adds the caveat that "Yahoo! only does HTTPS for authentication unless you're a paying member."
Easy to remedy (Score:3, Informative)
Re:Easy to remedy (Score:5, Insightful)
On the other hand, the oppressive governments over there will LOVE that. It's probably even better than insecure FB or Twitter since everything ultimately goes to the people's emails.
As someone from one the mentioned countries, I'd like to ask Microsoft, do you realize now you might be very well putting many people at a greater risk of being arrested or killed. People are being KILLED for expressing some of their opinions in some of these places these days.
SHAME ON YOU MICROSOFT
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
Dude its a fricking bug. It isn't even a fricking bug that blocks HTTPS, it just doesn't set it as default. Big fricking whoop, you just have to go in and set it. And anybody who is in a repressive country and sending shit that may get them in trouble to their email account without even using Tor or some other obfuscation is seriously asking for it anyway.
Their "bug" (if that is really what it is) has just exposed a lot of people to arrest, abuse, and murder. Just because you're laying your life on the line
Re: (Score:3)
The only way anyone would've hit this bug is if they were trying to make their account default to HTTPS while the bug was active. If you'd already set to HTTPS by default, that would still have worked. So, if it exposed anyone to arrest, it would be because they continued past the bug to do risky things anyway.
http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/ [theregister.co.uk] if you want a source.
Re: (Score:2)
Now explain to my grandmother, who just got her first email last week, how and why she needs to do that.
If your grandmother only received her first email last week then she definitely, absolutely, imperatively must stay away from 'that'. I'm amazed this has been moderated insightful. We've gone from 'think of the children' to 'think of the grandmothers' as a shortcut for those two lazy to engage in thoughtful analysis.
Re: (Score:3)
Maybe neo00's family gets very passionate about their secret apple pie recipes.
Re: (Score:1)
This one time growing up the secret almost got out, but she put stirred up quite a protest a-LOST CARRIER-
Re: (Score:2)
Maybe not their grandmother. But plenty of grandmothers are getting shot in the streets this week in some of those countries. Next week it'll be some other of those countries, and the week after that...
And yes, some people who are emailing other people about their revolutionary plans and actions are somebody's grandmother. And most of these people have better things to do than stay on top of how MS is revoking the HTTPS they'd already heard for years would keep their emails secret.
Re: (Score:2)
And yes, some people who are emailing other people about their revolutionary plans and actions are somebody's grandmother.
Well are they now? When and if grandmothers are getting shot on the streets, DO NOT encourage them to mess around with technology they don't understand, ESP those "who just got her first email last week" (see GP). I'm not taking about messing with the settings - I'm saying just DON'T do it.
Re: (Score:2)
So all people fighting their local murderous tyrants must fully understand networking technologies before they trust email they've had reason to believe is secure.
You are a sad person living in Sim City.
Goodbye.
Re: (Score:2)
I believe the point he's trying to make is that anonymity/security on the internet, especially in a hostile country, is a very hard thing to accomplish and is best left to people who now what they are doing. By all means grandma can send and receive emails about recipes and photos of grandkids to her hearts content and nobody will break down her door for it HTTPS or not, but when grandma starts planning a revolution she better not be assuming that she'll be safe and secure on the internet and if she can't
Re: (Score:2)
Good point, let's see if any politicians go on TV and say this about Microsoft. This puts FAR more people at risk than anything Wikileaks ever did.
Re: (Score:1)
Who still uses hotmail? And why?
Re: (Score:2)
Re: (Score:1)
That [sort of] explains the first question. I'm wondering why though.
Re:Easy to remedy (Score:4, Informative)
Maybe the same reason that Windows is still the most popular OS. They were the first to make it easy and convenient, and nobody's bothered to change.
Re: (Score:2)
Re: (Score:3)
I think I have a couple. I used them to sign up to things I didn't want polluting my gmail account.
Comment removed (Score:5, Informative)
Re: (Score:2)
Yeah, but how many of those are "spam accounts" that those 100 million users use to sign up for things that require email, but which they don't want to give their real email....
Re: (Score:2)
Given that you can receive bucketloads of spam just by opening a hotmail account and waiting 6 hours, that's rather tautologous.
Re: (Score:2)
I totally agree.
With how ridiculous the government and some elements of corporate America have become in the US as of late, sharing obvious information like that is bound to get you branded as a "domestic terrorist..."
Yeah, I'm joking somewhat....somewhat..
The Point? (Score:5, Interesting)
Giving up my mod points on the thread to ask... Why?
Seems like the only advantage this holds is Microsoft can later claim "You should have used someone elses service to discuss anti-dictatorship topics, as our services are not secure or private" ??
Re:The Point? (Score:4, Insightful)
Re: (Score:2)
Re:The Point? (Score:5, Insightful)
Hotmail users who browse the web with Firefox may force the use of HTTPS by default—while using any Hotmail location setting—by installing the HTTPS Everywhere Firefox plug-in.
So, Microsoft endorses FireFox? (Score:2)
Maybe they are just gaming Google and gmail.
Re: (Score:1)
China doesn't need to have encryption turned off. They just ask MS nicely to hand them the key and MS will comply if it makes them a buck. If you rely on big corporations for confidentiality in oppressive regimes the size of China, you're a fool.
Re: (Score:1)
China has a root certificate in your browser as well as a sophisticated cyber army. They don't need Microsoft's help.
Re: (Score:3)
Cryptography huh? (Score:2)
Most hotmail users do not know what HTTPS is. This move effetively disables cryptography for 90% of the users.
well, 90% of people on Slashdot don't know what HTTPS is - 90% of the other 10% are probably displaying a rather cock-sure, blissful ignorance. Think about it: a message going from country A to country B, two wifi connections that may or may not be encrypted, two governments that may or may not be intruding, two providers that may be cooperating with the former to varying degrees. If you don't know what https, say away from it. Don't tell anybody they're getting 'cryptography' if you're not able to give the
Re: (Score:2)
The 90% of hotmail users who don't know what https is won't be looking for this setting in the first place.
Banned in China (Score:3, Informative)
Cryptography is banned in China and territories under their control without a permit by the "communist" party regime. They will have keys for the crypto they allow their subjects to use.
Big and compliant foreign firms may apply for an exception but obviously that doesn't mean their operations haven't been breached from within.
Re: (Score:3)
So when I traveled to China for a conference, I was breaking the law by using ssh to grab files from my computer back home?
Re:Banned in China (Score:4, Interesting)
Yes. But they are not too overzealous when it comes to dealing with tourists (who wants to start international scandal, when the poor bugger is of no threat). Should they be sure that you were using encryption to communicate with dissidents inside China, that would be a totally different story.
Re: (Score:2)
You didn't ssh home and start firefox on the home computer through a ssh-X tunnel to watch youtube? Nooob.
Re: (Score:2)
Well, not using firefox, I used konqueror. It worked somewhat, but not in fullscreen.
Re: (Score:2)
Re: (Score:2)
This one is new for me. I've never heard of such blanket bans, though I know many techie friends who have dealings in China.
I personally have used ssh quite a few times in China, and I am not aware that "legitimate" uses of it are banned or disapproved.
So, any source for your claims?
Re: (Score:2)
Re:The Point? (Score:4, Funny)
Well, crypto is still regarded as munitions. Perhaps Microsoft is going to use this to say "we're not breaking the arms embargo but Firefox is"?
Re: (Score:2)
Re: (Score:2)
If you're providing "publicly available source code" (as Firefox is, and Microsoft isn't), the export controls almost melt away. You have to send in a notification [doc.gov], but no review is required.
Microsoft, on the other hand, doesn't have it quite so easy, but I'm sure that their reviews get expedited, so I seriously doubt that EAR/ITAR plays any role in this.
Maybe. they are saying don't risk your life (Score:1)
They may not want people to risk their lives using their service.
If the certs are already compromised. MITM proxies, prior break-ins etc.
Re: (Score:2)
But they're not saying that. They're saying very little, that will be received by very few of the people it puts at risk and understood by even fewer.
MS' actions are putting people's lives at increased risk without those people knowing about it.
Re: (Score:1, Informative)
Microsoft says this has been a bug which has been corrected today:
http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/ [theregister.co.uk]
The whole thread is mislead.
Re:The Point? (Score:4, Funny)
SSL doesn't exactly keep Microsoft from reading your hotmail, it just keeps those between you and them from doing so(terms and restrictions may apply...)
Re: (Score:1)
Every account is of interest.
Re: (Score:2)
Presumably the US could just ask MS nicely for a neat digest of accounts of interest, delivered from their US-located datacenters, rather than asking them nicely to turn off SSL, and then having to MITM a whole bunch of people in a variety of largely hostile locales...
They could but there is more hassle in this and it also shows who they're interested in. I actually suspect that GP is correct in that this is something MS is doing for the US govt. rather than for the local governments. Reason being that those local governments control the ISPs and telecoms services there and probably don't need something like this to spy, or would even find it that helpful. But foreign spies who aren't affiliated with the local government would find it useful when they're trying to eavesd
Could they have done it because... (Score:3)
of the Iranian CA breach?
If they know that certain governments are decrypting SSL, then it's right to not let people think that their data is secure when it's actually not.
Re: (Score:2)
I'm glad you don't work for my bank. "There's a small chance your account might have been compromised, so we sent you this post card with all your private information on it so you know you aren't secure. Have a nice day!"
Re: (Score:3)
Since MS is warning you before you enter in your username/password, your interpretation is completely wrong.
Re: (Score:2)
Yes, they throw an error you when you try to turn the feature on. But what if you had enabled it previously—do they actually tell you it has been disabled before you log in?
Re: (Score:2)
Good, but different, question. Which, not living in a hell hole, I don't have the answer to.
Re: (Score:2)
Re: (Score:2)
(edit: stupid lamness filter. Yes I know "using all caps is like yelling". That's why I'm using all caps!).
Re: (Score:1)
Yeah, the good old Microsoft solution to just about any problem: don't fix it, just throw up another useless dialog box.
And people wonder why users just click through any message without reading it. Every time I use Windows, I start to understand that attitude more and more; there is no more dialog-happy OS on the planet.
Mart
Re: (Score:2)
of the Iranian CA breach?
If they know that certain governments are decrypting SSL
I don't think they need to decrypt SSL. Just proxy the key negotiation.
Re: (Score:2)
Prior to a few days ago, only Microsoft had such a certificate...
.
What do you mean only Microsoft had such a certificate?
Go to your browser and look at the list of trusted root certs.
ANY of them can sign a cert that says "Yeah I'm a valid cert for *.hotmail.com" and your browser by default wouldn't warn you.
And any of those CAs can sign someone else's cert (who can sign someone else's cert, repeat, rinse etc) and allow them to sign a "*.hotmail.com" cert and it'll work too.
CNNIC (one of China's CAs) has their cert signed by Entrust (whose certs are in most popular browse
Re: (Score:2)
the Iranian CA breach?
TFP is referring to this [slashdot.org], in case anyone other than me missed it.
Surprising? (Score:1, Offtopic)
I thought it was already quite [guardian.co.uk] clear [nytimes.com] that Microsoft doesn't let morality get in the way of income.
closure (Score:1)
Obsolete info (Score:5, Informative)
It was a bug, it has been fixed.
http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/
Re: (Score:3, Insightful)
Wow, that's a lot less sensational than Microsoft depriving troubled nations of privacy. What are the chances that the story will be amended to reflect this?
Re: (Score:3)
Although far less sensational than "MS are evil and oppressing poor victims of the world", it's still a bit of a PR nightmare for MS.
To be clear, MS have allowed a bug to creep into one of their biggest front-line communication services that caused people in countries like Syria, Bahrain and Iran to lose a key element of their email security, in the middle of one of the biggest popular uprisings / state crackdowns in decades.
If my oven set my house on fire, I'd be pissed. It would be only small comfort to k
Strange Bug (Score:2, Insightful)
Why would it only affect those countries? Testing showed that it only affected people with their location set to certain countries and that merely changing the country would allow it to work again.
There may be an innocent explanation for that, but it's DAMN strange and really makes it appear that there's spying going on, somewhere.
Re: (Score:2)
A bug only affecting certain oppressive countries?
That's a bit too dodgy to be true. It sounds more like a cover up than the truth.
Why? (Score:3, Interesting)
Shame, shame!
Re: (Score:2)
Probably so they can climb even higher.
Sadly.
Re: (Score:2)
are you blindly believing it was a bug because they told you so?
Re: (Score:1)
Yeah, it wasn't a bug. They were out to get people, for.. however short a period of time it was broken. You totally busted those corporatist assholes!
Do you ever get tired of yourself, I mean really?
Re: (Score:2)
They were out to get people, for.. however short a period of time it was broken
It got into the news and was embarassing for them from a PR standpoint, so they did a U-turn. Wouldn't be the first time. (See also, for example, Microsoft's significant assistance to the Russian government in shutting down the opposition there via police raids on opposition organisations for using "pirated" MS software. Complete with falsified statements from Microsoft's representatives that they were using pirate software even when they weren't. They were willing to let that continue right up until it got
at any other time (Score:1)
i would say that its just another cynical data point of a large multinational putting profit over morality
however, with the recent cert hack, you have to wonder if there isn't a bigger story here
Re: (Score:1)
What... the... fuck? (Score:1)
So in the places where HTTPS is most needed to protect people's lives, Microsoft kowtows to pressure from a bunch of soon-to-be-ex Pol Pot dictators to trick people into using unencrypted traffic so that they can be snooped upon?
To everyone in the Middle East, when the revolution is through, remember who your friends were, and remember which large company tried to sell you out, then choose your purchases accordingly. Remember, developing nations have more influence on corporations through their buying powe
Re: (Score:3)
it was a bug http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/ [theregister.co.uk]
Everyone can unwad their panties now.
My panties? Not mine...I steal 'em from the neighbor's clothesline.
Wait...is this an https connection? Oh, chit...
Re: (Score:1)
Have you ever noticed that when somebody gets caught doing something really unethical, they always say, "I made a mistake" or "It was a bug"?
Re: (Score:2)
Yeah, and whenever some stupid asshole jumps to conclusions and blathers a bunch of paranoid delusional bullshit, have you ever noticed they refuse to accept any explanation other than the evil they initially attributed the incident to? Kind of the mindset of Troofers, Birfers, and anti-Evolutionists really. No matter what evidence you put forward, they will never accept anything other than the delusion that gives them their mental high.
Interesting... (Score:3)
That makes it sort of tricky to assign a foreign-policy based incentive behind Microsoft's activities. Economics, though, isn't obviously more helpful. That list represents one hell of a GDP spread, from "barely subsisting" to "oil plutocracy", so it doesn't seem to be a straightforward 'eh, you guys just aren't worth the SSL costs, fuck it." cutoff.
Any ideas?
Yahoo??? (Score:5, Insightful)
Cool it. (Score:5, Informative)
Microsoft is blaming a mystery bug for preventing access to the encrypted version of Hotmail, denying that it deliberately blocked access to the service in Syria.
On Friday afternoon, the company told The Reg that Hotmail users who had already enabled the HTTPS version of the popular email service were still able to use it. Only Hotmailers trying to turn on HTTPS for the first time in certain countries and languages were being blocked, Microsoft said.
People trying to connect were greeted with the message: "Your Windows Live ID can't use HTTPS automatically because this feature is not available for your account type."
Microsoft said it still doesn't know what caused the bug, but it has been resolved and the company is investigating the cause. "We do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world. We apologize for any inconvenience to our customers that this may have caused," a Microsoft spokesperson said.
The company said users in the Bahamas, Cayman Islands, and Fiji were also affected.
Microsoft: Mystery bug blocks Syrian secure Hotmail [theregister.co.uk]
Sun worshipers and fat cats hit too [March 26]
Re:Cool it. (Score:5, Insightful)
Ah, those silly Microsoft programmers with their "bugs." [nytimes.com]
Re: (Score:2)
Re: (Score:3)
Mod up indeed. People as cynical as The Register should do more than just report the MS press-release. Someone stated above that hotmail was still the No. 1 mail service. That list of countries just happen to have https choices suspended isn't organised in any programming order. If it was Swaziland, Sweden, Switzerland and Syria, then one would feel more inclined to believe them.
Or so they want you to think! (Score:4, Funny)
The company said users in the Bahamas, Cayman Islands, and Fiji were also affected.
Next week's headline:
"In unrelated news, local unrest reported in the tropics..."
Re: (Score:2)
You laugh, but Fiji run by a military junta. (As if you needed yet another reason to avoid drinking Fiji bottled water.)
Exec perk (Score:1)
Microsoft execs are just making sure that a large supply of "donated" organs are available whenever they need them.
M$ like a dog (Score:1)
Re: (Score:2)
Actually, my dog is on the right side of every issue, except sometimes "feed me that" and "walk me now".
Morocco? (Score:2)
Yahoo not MS? (Score:2)
In what way is Yahoo a non-Microsoft email provider? Non-Hotmail maybe but I am pretty sure they are Microsoft.
SO much for having bakcbone (Score:2)
I guess it shows Bill is not running things anymore.....I am not so sure he would have buckled under the pressure of what is going on over there politically to change HIS windows or hotmail to be easier for the feds to access.
bend over now (Score:2)
M$ always bending over to get the $, why let some country dictate how you should develop your app, I find that useless.
Re: (Score:2)
Hmm... side with the devil or forfeit a big paycheck... decisions, decisions...
Re: (Score:2)
Any possible motivation escapes me.
A lot of people posting already assume that there's some financial consideration involved; but I can't see that realistically being the case. But the problem is - I can't come up with a logical explanation for this that fits any reasonable supposition.
It would help if Microsoft would say why - we'd have to analyze it and parse the double-speak, obviously, but we'd at least have some meager clue. As it is, it's simply just bizarre.
Re: (Score:2)
Re:FUCK Microsoft (Score:5, Informative)
So not a good thing on MS's part, apparently, but at least lets have some decent information.
Re:FUCK Microsoft (Score:5, Informative)
Apparently it was a bug:
http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/ [theregister.co.uk]
Re: (Score:2)