Microsoft to Implement Full-Session HTTPS in Hotmail

Microsoft will start allowing users to encrypt their Hotmail communications with SSL on an opt-in basis, in order to protect themselves from session hijacking attacks.

At the end of September, Microsoft enhanced the security of Hotmail accounts by allowing users to associate trusted computers and mobile phone numbers with them.

Aware that these changes don't completely mitigate the risk of account hijacking, Microsoft promised at the time to implement full-session HTTPS by the end of this fall.

The feature will be made available later this month and people will be able to activate it by accessing mail.live.com with https:// in front instead of http://.

After inputting their login details, users will get redirected to a page informing them that they are trying to access Hotmail over HTTPS and will be offered the option to enable it permanently.

"For the most secure connection, we strongly recommend that you change your settings to always use HTTPS," a message will read.

Users will also be advised that if they check their calendar, edit contacts or go to other non-HTTPS Windows Live sites while authenticated, they will be exposed to attacks again.

However, enabling the option to always use full-session HTTPS can cause problems with the Outlook Hotmail Connector, Windows Live Mail or the Windows Live application for Windows Mobile and Nokia.

HTTPS (HTTP Secure) combines the Hypertext Transfer Protocol (HTTP) with the SSL/TLS protocol, in order to encrypt communications between a Web server and clients.

Lack of full-session HTTPS support exposes users to session hijacking attacks, which involve hackers sniffing network traffic and stealing session cookies from users.

These identification files can then be placed inside the attacker's browser to give them access to the accounts of the victims.

This kind of attack, that has been known for over a decade, and people connecting over open wireless networks are most exposed to it.

Microsoft is also considering implementing full-session HTTPS for Bing, which would allow users to encrypt their Web searches when connecting from unprotected networks.

"The security and privacy of our customers is very important to us at Bing. We are looking at SSL and other technologies for future releases of Bing," a Microsoft spokesperson told us.

Update November 5: This article originally stated that full-session HTTPS is availble on Hotmail, however, Microsoft has since contacted us to clarify that the implementation is not yet complete. Therefore, we have amended the article to reflect that the feature will be operational later this month.