Slashdot Mirror
MS Removes HTTPS From Hotmail For Troubled Nations
An anonymous reader writes "Microsoft has removed HTTPS from Hotmail for many US-embargoed or otherwise troubled countries. The current list of countries for which they no longer enable HTTPS is known to include Bahrain, Morocco, Algeria, Syria, Sudan, Iran, Lebanon, Jordan, Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan. Journalists and others whose lives may be in danger due oppressive net monitoring in those countries may wish to use HTTPS everywhere and are also encouraged to migrate to non-Microsoft email providers, like Yahoo and Google." Update: 03/26 17:08 GMT by T : Reader Steve Gula adds the caveat that "Yahoo! only does HTTPS for authentication unless you're a paying member."
This sucks ass.
I don't know what Microsoft are thinking here but seeing as it's using the country you set in your profile; not any sort of geoip lookup ... the remedy is simple: just change the country in your profile.
Giving up my mod points on the thread to ask... Why?
Seems like the only advantage this holds is Microsoft can later claim "You should have used someone elses service to discuss anti-dictatorship topics, as our services are not secure or private" ??
of the Iranian CA breach?
If they know that certain governments are decrypting SSL, then it's right to not let people think that their data is secure when it's actually not.
"I don't know, therefore Aliens" Wafflebox1
When it comes to net monitoring, I wonder why China is not on that list.
I thought it was already quite clear that Microsoft doesn't let morality get in the way of income.
How can I believe you when you tell me what I don't want to hear?
Any possible motivation escapes me.
As hard as MS executives have worked in their lives, are they really proud to use those years of hard work to side with oppression?
Shame, shame.
These people have been 'encouraged' to migrate away from hotmail for a long time now. By just about everyone.
It is about time Microsoft jumped on the bandwagon and did some encouraging as well.
Any news organization worth its salt will make sure their journalists get Microsoft's message.
are microsoft trying hard to get themselves closed or what.what next
It was a bug, it has been fixed.
http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/
The Microsoft executives who made this decision have worked very hard for their entire adult lives to achieve the position they are in. Many years of hard work in college and climbing the ranks at Microsoft have put them where they are today. So, then, why have they leveraged those years of hard work in the name of oppression?
Shame, shame!
i would say that its just another cynical data point of a large multinational putting profit over morality
however, with the recent cert hack, you have to wonder if there isn't a bigger story here
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
This is the exact opposite of what Microsoft needs to be doing. But, it's what we've come to expect from the company. Does anyone seriously still use hotmail?
So in the places where HTTPS is most needed to protect people's lives, Microsoft kowtows to pressure from a bunch of soon-to-be-ex Pol Pot dictators to trick people into using unencrypted traffic so that they can be snooped upon?
To everyone in the Middle East, when the revolution is through, remember who your friends were, and remember which large company tried to sell you out, then choose your purchases accordingly. Remember, developing nations have more influence on corporations through their buying power than any nation that is already locked into a particular vendor's products. Just a helpful tip.
To Microsoft, you should be ashamed. No, wait, the other thing. Tried and executed for crimes against humanity. Not to mention treason if Libya is being handled similarly. For shame.
Check out my sci-fi/humor trilogy at PatriotsBooks.
I'm genuinely curious what the logic is. "zOMG the Feds!!!" seems unlikely(because Microsoft doesn't exactly have to crack the SSL connection between you and itself to watch you and provide whatever information they wish...) It also seems somewhat unlikely that they received a "disable SSL or we block you" ultimatum, in silence, from a veritable laundry list of undesirable locations at the same time. Those countries also represent a reasonably broad spectrum of different flavors of repressive fucked-upness, and a fair variety of different levels of "they may be dictators with blood on their hands; but they serve our interests", everything from "They are our good buddies who let us headquarter the 5th fleet" to "we would really prefer if they died in a fire.."
That makes it sort of tricky to assign a foreign-policy based incentive behind Microsoft's activities. Economics, though, isn't obviously more helpful. That list represents one hell of a GDP spread, from "barely subsisting" to "oil plutocracy", so it doesn't seem to be a straightforward 'eh, you guys just aren't worth the SSL costs, fuck it." cutoff.
Any ideas?
Why is summary recommending Yahoo in this instance? Last time I checked (10 mins ago) I couldn't get Yahoo mail to use https on regular pages. It seems Hotmail can still use https in the affected countries - as long as you explicitly type it in the address bar. Or use HTTPS Everywhere. Or choose a different country in your profile. So Hotmail is still better than Yahoo?
Microsoft is blaming a mystery bug for preventing access to the encrypted version of Hotmail, denying that it deliberately blocked access to the service in Syria.
On Friday afternoon, the company told The Reg that Hotmail users who had already enabled the HTTPS version of the popular email service were still able to use it. Only Hotmailers trying to turn on HTTPS for the first time in certain countries and languages were being blocked, Microsoft said.
People trying to connect were greeted with the message: "Your Windows Live ID can't use HTTPS automatically because this feature is not available for your account type."
Microsoft said it still doesn't know what caused the bug, but it has been resolved and the company is investigating the cause. "We do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world. We apologize for any inconvenience to our customers that this may have caused," a Microsoft spokesperson said.
The company said users in the Bahamas, Cayman Islands, and Fiji were also affected.
Microsoft: Mystery bug blocks Syrian secure Hotmail
Sun worshipers and fat cats hit too [March 26]
I'm trying to figure out why here. Is it to avoid future high end attacks that we've been seeing lately?
Why would it only affect those countries? Testing showed that it only affected people with their location set to certain countries and that merely changing the country would allow it to work again.
There may be an innocent explanation for that, but it's DAMN strange and really makes it appear that there's spying going on, somewhere.
Cryptography is banned in China and territories under their control without a permit by the "communist" party regime. They will have keys for the crypto they allow their subjects to use.
Big and compliant foreign firms may apply for an exception but obviously that doesn't mean their operations haven't been breached from within.
Should invading one's peaceful neighbours be opposed, or rewarded with trade deals?
Microsoft execs are just making sure that a large supply of "donated" organs are available whenever they need them.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
The company said users in the Bahamas, Cayman Islands, and Fiji were also affected.
Next week's headline:
"In unrelated news, local unrest reported in the tropics..."
IS M$ insane? Most journalists want privacy (its more fun than being killed). I suspect M$ is doing this to allow totalitarian governments to spy on and kill journalists/reporters, or perhaps its just that these governments asked/told them to, and always in favor of making a buck, even if people have to die, M$ caved in half a heartbeat. Or perhaps they just don't want any of that radical/insurgent/freedom stuff sprouting on any of their sites. Oh well, the Twitter and Facebook own a pair, and aren't running like little girls from this. M$ never had any redeeming qualities, never had any societal/social graces, was always a pariah (well earned), its just that every once in a while they get a chance to redeem themselves. This was one of those times. FAILED AGAIN!
They may not want people to risk their lives using their service.
If the certs are already compromised. MITM proxies, prior break-ins etc.
15TW = 15,000 Nuclear Reactors. (Approx. one accident a month.)
Maybe they are just gaming Google and gmail.
You are being MICROattacked, from various angles, in a SOFT manner.
M$ like a dog, on the wrong side of every issue.
Actually, Morocco didn't ask M$ to suppress access to HTTPS. And in fact, Gmail over HTTPS works perfectly fine there. It looks like Microsoft are just guessing who might want to snoop, and offering that as a feature, without even being asked. Oh, anyone remember the Microsoft Surveillance Guide?
cpghost at Cordula's Web.
Hard to see what difference this makes since there are commercially available firewall appliances that can decrypt SSL on the fly. My company was planning a couple years ago to upgrade their firewall gear with these to "protect" their IP and prevent porn site access via HTTPS, so you can be sure any interested governments can procure the same equipment even if they have to circumvent embargoes.
Most hotmail users do not know what HTTPS is. This move effetively disables cryptography for 90% of the users.
well, 90% of people on Slashdot don't know what HTTPS is - 90% of the other 10% are probably displaying a rather cock-sure, blissful ignorance. Think about it: a message going from country A to country B, two wifi connections that may or may not be encrypted, two governments that may or may not be intruding, two providers that may be cooperating with the former to varying degrees. If you don't know what https, say away from it. Don't tell anybody they're getting 'cryptography' if you're not able to give them a grounding in all the above. Or else you 'cryptography' will only be good for hiding your stuff from your mum.
Deaths from Wikileaks:
Deaths from Microsoft:
which part of that statement is hard to understand?
In what way is Yahoo a non-Microsoft email provider? Non-Hotmail maybe but I am pretty sure they are Microsoft.
I didn't realize people still used hotmail...
arizona and utah; maybe mississippi
This is typical Microsoft behavior, that we have seen time and time again. Google at least had some limits to their cooperation with Chinese government, but Microsoft cooperates preemptively with authoritarian regimes, without even having to be proded, it would seem.
I guess it shows Bill is not running things anymore.....I am not so sure he would have buckled under the pressure of what is going on over there politically to change HIS windows or hotmail to be easier for the feds to access.
M$ always bending over to get the $, why let some country dictate how you should develop your app, I find that useless.