Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Microsoft Communications Encryption Privacy Politics Your Rights Online

MS Removes HTTPS From Hotmail For Troubled Nations 147

An anonymous reader writes "Microsoft has removed HTTPS from Hotmail for many US-embargoed or otherwise troubled countries. The current list of countries for which they no longer enable HTTPS is known to include Bahrain, Morocco, Algeria, Syria, Sudan, Iran, Lebanon, Jordan, Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan. Journalists and others whose lives may be in danger due oppressive net monitoring in those countries may wish to use HTTPS everywhere and are also encouraged to migrate to non-Microsoft email providers, like Yahoo and Google." Update: 03/26 17:08 GMT by T : Reader Steve Gula adds the caveat that "Yahoo! only does HTTPS for authentication unless you're a paying member."
This discussion has been archived. No new comments can be posted.

MS Removes HTTPS From Hotmail For Troubled Nations

Comments Filter:
  • Easy to remedy (Score:3, Informative)

    by jginspace ( 678908 ) <> on Friday March 25, 2011 @11:46PM (#35619740) Homepage Journal
    I don't know what Microsoft are thinking here but seeing as it's using the country you set in your profile; not any sort of geoip lookup ... the remedy is simple: just change the country in your profile.
    • Re:Easy to remedy (Score:5, Insightful)

      by neo00 ( 1667377 ) on Saturday March 26, 2011 @12:11AM (#35619886)
      Now explain to my grandmother, who just got her first email last week, how and why she needs to do that.

      On the other hand, the oppressive governments over there will LOVE that. It's probably even better than insecure FB or Twitter since everything ultimately goes to the people's emails.
      As someone from one the mentioned countries, I'd like to ask Microsoft, do you realize now you might be very well putting many people at a greater risk of being arrested or killed. People are being KILLED for expressing some of their opinions in some of these places these days.

      • Re: (Score:3, Informative)

        by hairyfeet ( 841228 )

        Dude its a fricking bug. It isn't even a fricking bug that blocks HTTPS, it just doesn't set it as default. Big fricking whoop, you just have to go in and set it. And anybody who is in a repressive country and sending shit that may get them in trouble to their email account without even using Tor or some other obfuscation is seriously asking for it anyway.

        Now if they had issued a press release that said "Countries A-K will NOT have HHTPS access" that would be one thing, and they'd deserve to get nailed for

        • Re: (Score:3, Insightful)

          by Doc Ruby ( 173196 )

          Dude its a fricking bug. It isn't even a fricking bug that blocks HTTPS, it just doesn't set it as default. Big fricking whoop, you just have to go in and set it. And anybody who is in a repressive country and sending shit that may get them in trouble to their email account without even using Tor or some other obfuscation is seriously asking for it anyway.

          Their "bug" (if that is really what it is) has just exposed a lot of people to arrest, abuse, and murder. Just because you're laying your life on the line

      • Now explain to my grandmother, who just got her first email last week, how and why she needs to do that.

        If your grandmother only received her first email last week then she definitely, absolutely, imperatively must stay away from 'that'. I'm amazed this has been moderated insightful. We've gone from 'think of the children' to 'think of the grandmothers' as a shortcut for those two lazy to engage in thoughtful analysis.

    • Who still uses hotmail? And why?

      • Fun fact: Hotmail is still the largest webmail provider by a margin of nearly 100 million users.
        • That [sort of] explains the first question. I'm wondering why though.

        • By what metric? Total accounts? Accounts accessed in the last month? Volume of mail? The first metric isn't much good, because a lot of those will be the leftovers of customers who long ago fled the service. Accounts accessed recently is better.
          • by wisty ( 1335733 )

            I think I have a couple. I used them to sign up to things I didn't want polluting my gmail account.

        • Re:Easy to remedy (Score:5, Informative)

          by hairyfeet ( 841228 ) <bassbeast1968@gm ... minus herbivore> on Saturday March 26, 2011 @07:42AM (#35621034) Journal

          Fun fact:You're wrong. The largest is Yahoo! Mail [] followed by Gmail with Hotmail third.

          I personally think THIS is why Ballmer had such a hard on to buy out Yahoo! and why they were quick to jump on the search deal, as Yahoo Mail has a TON of users and funnily enough the Yahoo Web Portal is the #1 home page (Yeah I know its a cluttered mess, apparently people like cluttered messes) by a large margin. Hell that damned portal is so popular now the only time I notice anymore is when someone brings in a PC to be fixed and Yahoo Portal ISN'T the default, that is how damned popular that thing is.

          As for TFA they ain't blocking HTTPS they had a bug that screwed up setting HTTPS as default. Surprise surprise new software rollout finds a bunch of bugs that need fixing. Until they chase down the bugs you can either use the FF plugin or just set it manually which isn't exactly a hardship. If this were anyone else it wouldn't even rate a mention but since it is MSFT the tinfoil hatters have to get in a few shots.

          Hell only the old folks use Hotmail anymore anyway, mostly those like my dad that got a branded account with his DSL. I can't even remember the last time I saw a customer under 50 that had Hotmail bookmarked. Everyone else it is Yahoo Mail followed by Gmail for the under 30s.

        • Yeah, but how many of those are "spam accounts" that those 100 million users use to sign up for things that require email, but which they don't want to give their real email....

    • by moxley ( 895517 )

      I totally agree.

      With how ridiculous the government and some elements of corporate America have become in the US as of late, sharing obvious information like that is bound to get you branded as a "domestic terrorist..."

      Yeah, I'm joking somewhat....somewhat..

  • The Point? (Score:5, Interesting)

    by Mitsoid ( 837831 ) on Friday March 25, 2011 @11:47PM (#35619746)

    Giving up my mod points on the thread to ask... Why?

    Seems like the only advantage this holds is Microsoft can later claim "You should have used someone elses service to discuss anti-dictatorship topics, as our services are not secure or private" ??

    • Re:The Point? (Score:4, Insightful)

      by Nerdfest ( 867930 ) on Friday March 25, 2011 @11:52PM (#35619778)
      Perhaps these governments buy software from them ... they don't want to lose the sales.
    • Re:The Point? (Score:5, Insightful)

      by jginspace ( 678908 ) <> on Friday March 25, 2011 @11:53PM (#35619788) Homepage Journal
      As noted below, China is not on the list. I think the summary is misleading. TFA says MS has turned off the 'always-use-HTTPS' option - not the 'HTTPS' option. Otherwise you couldn't get the HTTPS-Everywhere extension to work. From TFA:

      Hotmail users who browse the web with Firefox may force the use of HTTPS by default—while using any Hotmail location setting—by installing the HTTPS Everywhere Firefox plug-in.

      • Hmmm. May be telling. May be not.

        Maybe they are just gaming Google and gmail.

      • by Anonymous Coward

        China doesn't need to have encryption turned off. They just ask MS nicely to hand them the key and MS will comply if it makes them a buck. If you rely on big corporations for confidentiality in oppressive regimes the size of China, you're a fool.

      • by Anonymous Coward

        China has a root certificate in your browser as well as a sophisticated cyber army. They don't need Microsoft's help.

      • by Yvanhoe ( 564877 )
        Most hotmail users do not know what HTTPS is. This move effetively disables cryptography for 90% of the users.
        • Most hotmail users do not know what HTTPS is. This move effetively disables cryptography for 90% of the users.

          well, 90% of people on Slashdot don't know what HTTPS is - 90% of the other 10% are probably displaying a rather cock-sure, blissful ignorance. Think about it: a message going from country A to country B, two wifi connections that may or may not be encrypted, two governments that may or may not be intruding, two providers that may be cooperating with the former to varying degrees. If you don't know what https, say away from it. Don't tell anybody they're getting 'cryptography' if you're not able to give the

        • The 90% of hotmail users who don't know what https is won't be looking for this setting in the first place.

    • Perhaps they are trying to use the Host HTTP header to perform multi-site hosting on their services which is impossible to do under https because of the SSL handshaking. This would save lots of IP addresses .... Oh wait, nevermind []
    • by jd ( 1658 ) <{moc.oohay} {ta} {kapimi}> on Saturday March 26, 2011 @12:57AM (#35620050) Homepage Journal

      Well, crypto is still regarded as munitions. Perhaps Microsoft is going to use this to say "we're not breaking the arms embargo but Firefox is"?

      • This was my first thought as well.
      • by Xtifr ( 1323 )

        If you're providing "publicly available source code" (as Firefox is, and Microsoft isn't), the export controls almost melt away. You have to send in a notification [], but no review is required.

        Microsoft, on the other hand, doesn't have it quite so easy, but I'm sure that their reviews get expedited, so I seriously doubt that EAR/ITAR plays any role in this.

    • They may not want people to risk their lives using their service.
      If the certs are already compromised. MITM proxies, prior break-ins etc.

      • But they're not saying that. They're saying very little, that will be received by very few of the people it puts at risk and understood by even fewer.

        MS' actions are putting people's lives at increased risk without those people knowing about it.

    • Re: (Score:1, Informative)

      by wmac ( 1107843 )

      Microsoft says this has been a bug which has been corrected today: []

      The whole thread is mislead.

  • by Nutria ( 679911 ) on Friday March 25, 2011 @11:48PM (#35619752)

    of the Iranian CA breach?

    If they know that certain governments are decrypting SSL, then it's right to not let people think that their data is secure when it's actually not.

    • I'm glad you don't work for my bank. "There's a small chance your account might have been compromised, so we sent you this post card with all your private information on it so you know you aren't secure. Have a nice day!"

      • by Nutria ( 679911 )

        Since MS is warning you before you enter in your username/password, your interpretation is completely wrong.

        • Yes, they throw an error you when you try to turn the feature on. But what if you had enabled it previously—do they actually tell you it has been disabled before you log in?

          • by Nutria ( 679911 )

            Good, but different, question. Which, not living in a hell hole, I don't have the answer to.

          • by h4rm0ny ( 722443 )
            If the login page isn't HTTPS, then you know.
            • by h4rm0ny ( 722443 )

              (edit: stupid lamness filter. Yes I know "using all caps is like yelling". That's why I'm using all caps!).
        • by mvdwege ( 243851 )

          Yeah, the good old Microsoft solution to just about any problem: don't fix it, just throw up another useless dialog box.

          And people wonder why users just click through any message without reading it. Every time I use Windows, I start to understand that attitude more and more; there is no more dialog-happy OS on the planet.


    • of the Iranian CA breach?

      If they know that certain governments are decrypting SSL

      I don't think they need to decrypt SSL. Just proxy the key negotiation.

    • by xded ( 1046894 )

      the Iranian CA breach?

      TFP is referring to this [], in case anyone other than me missed it.

  • Surprising? (Score:1, Offtopic)

    I thought it was already quite [] clear [] that Microsoft doesn't let morality get in the way of income.

  • are microsoft trying hard to get themselves closed or what.what next
  • Obsolete info (Score:5, Informative)

    by Anonymous Coward on Friday March 25, 2011 @11:56PM (#35619800)

    It was a bug, it has been fixed.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Wow, that's a lot less sensational than Microsoft depriving troubled nations of privacy. What are the chances that the story will be amended to reflect this?

    • Strange Bug (Score:2, Insightful)

      by Anonymous Coward

      Why would it only affect those countries? Testing showed that it only affected people with their location set to certain countries and that merely changing the country would allow it to work again.

      There may be an innocent explanation for that, but it's DAMN strange and really makes it appear that there's spying going on, somewhere.

    • by M1FCJ ( 586251 )

      A bug only affecting certain oppressive countries?
      That's a bit too dodgy to be true. It sounds more like a cover up than the truth.

  • Why? (Score:3, Interesting)

    by cryfreedomlove ( 929828 ) on Friday March 25, 2011 @11:57PM (#35619802)
    The Microsoft executives who made this decision have worked very hard for their entire adult lives to achieve the position they are in. Many years of hard work in college and climbing the ranks at Microsoft have put them where they are today. So, then, why have they leveraged those years of hard work in the name of oppression?

    Shame, shame!
    • Probably so they can climb even higher.


  • i would say that its just another cynical data point of a large multinational putting profit over morality

    however, with the recent cert hack, you have to wonder if there isn't a bigger story here

    • And your post is another cynical data point in the bandwagon jumping paranoid delusional mindset of the "omg the bad corporations are out to get me!" crowd. This was identified as a bug and has been resolved. Where does all your blathering about morality end up, then? Yes - on the garbage heap.
  • So in the places where HTTPS is most needed to protect people's lives, Microsoft kowtows to pressure from a bunch of soon-to-be-ex Pol Pot dictators to trick people into using unencrypted traffic so that they can be snooped upon?

    To everyone in the Middle East, when the revolution is through, remember who your friends were, and remember which large company tried to sell you out, then choose your purchases accordingly. Remember, developing nations have more influence on corporations through their buying powe

  • by fuzzyfuzzyfungus ( 1223518 ) on Friday March 25, 2011 @11:59PM (#35619826) Journal
    I'm genuinely curious what the logic is. "zOMG the Feds!!!" seems unlikely(because Microsoft doesn't exactly have to crack the SSL connection between you and itself to watch you and provide whatever information they wish...) It also seems somewhat unlikely that they received a "disable SSL or we block you" ultimatum, in silence, from a veritable laundry list of undesirable locations at the same time. Those countries also represent a reasonably broad spectrum of different flavors of repressive fucked-upness, and a fair variety of different levels of "they may be dictators with blood on their hands; but they serve our interests", everything from "They are our good buddies who let us headquarter the 5th fleet" to "we would really prefer if they died in a fire.."

    That makes it sort of tricky to assign a foreign-policy based incentive behind Microsoft's activities. Economics, though, isn't obviously more helpful. That list represents one hell of a GDP spread, from "barely subsisting" to "oil plutocracy", so it doesn't seem to be a straightforward 'eh, you guys just aren't worth the SSL costs, fuck it." cutoff.

    Any ideas?
  • Yahoo??? (Score:5, Insightful)

    by jginspace ( 678908 ) <> on Saturday March 26, 2011 @12:03AM (#35619848) Homepage Journal
    Why is summary recommending Yahoo in this instance? Last time I checked (10 mins ago) I couldn't get Yahoo mail to use https on regular pages. It seems Hotmail can still use https in the affected countries - as long as you explicitly type it in the address bar. Or use HTTPS Everywhere. Or choose a different country in your profile. So Hotmail is still better than Yahoo?
  • Cool it. (Score:5, Informative)

    by westlake ( 615356 ) on Saturday March 26, 2011 @12:07AM (#35619868)
    The Register has a calmer take on this story:

    Microsoft is blaming a mystery bug for preventing access to the encrypted version of Hotmail, denying that it deliberately blocked access to the service in Syria.

    On Friday afternoon, the company told The Reg that Hotmail users who had already enabled the HTTPS version of the popular email service were still able to use it. Only Hotmailers trying to turn on HTTPS for the first time in certain countries and languages were being blocked, Microsoft said.

    People trying to connect were greeted with the message: "Your Windows Live ID can't use HTTPS automatically because this feature is not available for your account type."

    Microsoft said it still doesn't know what caused the bug, but it has been resolved and the company is investigating the cause. "We do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world. We apologize for any inconvenience to our customers that this may have caused," a Microsoft spokesperson said.

    The company said users in the Bahamas, Cayman Islands, and Fiji were also affected.

    Microsoft: Mystery bug blocks Syrian secure Hotmail []
    Sun worshipers and fat cats hit too [March 26]

  • Microsoft execs are just making sure that a large supply of "donated" organs are available whenever they need them.

  • M$ like a dog, on the wrong side of every issue.
    • Actually, my dog is on the right side of every issue, except sometimes "feed me that" and "walk me now".

  • Actually, Morocco didn't ask M$ to suppress access to HTTPS. And in fact, Gmail over HTTPS works perfectly fine there. It looks like Microsoft are just guessing who might want to snoop, and offering that as a feature, without even being asked. Oh, anyone remember the Microsoft Surveillance Guide []?
  • and are also encouraged to migrate to non-Microsoft email providers, like Yahoo and Google.

    In what way is Yahoo a non-Microsoft email provider? Non-Hotmail maybe but I am pretty sure they are Microsoft.

  • I guess it shows Bill is not running things anymore.....I am not so sure he would have buckled under the pressure of what is going on over there politically to change HIS windows or hotmail to be easier for the feds to access.

  • M$ always bending over to get the $, why let some country dictate how you should develop your app, I find that useless.

MESSAGE ACKNOWLEDGED -- The Pershing II missiles have been launched.