Microsoft's decision to introduce HTTPS data encryption for Hotmail has been welcomed by a developer who highlighted unencrypted sessions.
Last week the group program manager for Hotmail, Dick Craddock said that it was providing users with the option to enhance the security of their entire Hotmail session with HTTPS data encryption.
He said that by using secure socket layers (SSL), that is currently used to secure the Hotmail sign-in process, can be enabled by using a ‘manage SSL' page. Once a user has enabled this feature, all of their future connections to Hotmail will be delivered over SSL.
However he also confirmed that some connections to Hotmail will not be available if HTTPS is turned on, these include: Outlook Hotmail Connector; Windows Live Mail; and the Windows Live application for Windows Mobile (version 6.5 and earlier) and Symbian.
Craddock said: “Also SkyDrive, Photos, Docs and Devices pages now all automatically use SSL encryption, transferring all their data over HTTPS. By using a connection with advanced security features, you can be even more confident that your account is safer from hijackers, and your private information is less likely to fall into someone else's hands.”
Eric Butler, creator of the Firesheep software add-on that can be used for sniffing unencrypted HTTP sessions and hijacking online services that require a login, welcomed the ‘huge step forward', but admitted that as it is an opt-in feature, Hotmail's 300+ million users have to know to turn the feature on, which is unlikely.
“Hopefully users will not have to wait another decade for Hotmail, other Microsoft services and other websites to implement mandatory SSL everywhere. In January of this year the EFF commended Gmail for making all accounts use SSL by default, and urged other websites to do the same,” he said.
“The risks of insecure websites have been known for years, yet over the years little to nothing has been done about what has become an incredibly widespread problem. In the three weeks since Firesheep was released, there has been some encouraging news that companies are waking up to the reality that HTTP is dead and that full end-to-end encryption (HTTPS/SSL) is no longer optional, but rather a requirement of doing business online.”
Butler asked users to report websites that are not HTTPS users and let them know that privacy and security should be a priority. He highlighted a campaign by human rights organisation Access, which is demanding that the world's top 100 websites support HTTPS.
He said: “Firesheep is not the cause or source of this problem. The clock started ticking for companies to protect their users the day they launched, not the day Firesheep was released. Facebook is already going on six years of insecurity, and counting.”