Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Removes HTTPS From Hotmail For Troubled Nations

Posted by timothy on from the well-that'll-sure-end-their-troubles dept.

An anonymous reader writes "Microsoft has removed HTTPS from Hotmail for many US-embargoed or otherwise troubled countries. The current list of countries for which they no longer enable HTTPS is known to include Bahrain, Morocco, Algeria, Syria, Sudan, Iran, Lebanon, Jordan, Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan. Journalists and others whose lives may be in danger due oppressive net monitoring in those countries may wish to use HTTPS everywhere and are also encouraged to migrate to non-Microsoft email providers, like Yahoo and Google." Update: 03/26 17:08 GMT by T : Reader Steve Gula adds the caveat that "Yahoo! only does HTTPS for authentication unless you're a paying member."

37 of 147 comments (clear)

  1. Easy to remedy by jginspace · · Score: 2, Informative

    I don't know what Microsoft are thinking here but seeing as it's using the country you set in your profile; not any sort of geoip lookup ... the remedy is simple: just change the country in your profile.

    1. Re:Easy to remedy by neo00 · · Score: 5, Insightful

      Now explain to my grandmother, who just got her first email last week, how and why she needs to do that.

      On the other hand, the oppressive governments over there will LOVE that. It's probably even better than insecure FB or Twitter since everything ultimately goes to the people's emails.
      As someone from one the mentioned countries, I'd like to ask Microsoft, do you realize now you might be very well putting many people at a greater risk of being arrested or killed. People are being KILLED for expressing some of their opinions in some of these places these days.

      SHAME ON YOU MICROSOFT

    2. Re:Easy to remedy by jd · · Score: 2

      Maybe neo00's family gets very passionate about their secret apple pie recipes.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    3. Re:Easy to remedy by wisty · · Score: 2

      I think I have a couple. I used them to sign up to things I didn't want polluting my gmail account.

    4. Re:Easy to remedy by hairyfeet · · Score: 2, Informative

      Dude its a fricking bug. It isn't even a fricking bug that blocks HTTPS, it just doesn't set it as default. Big fricking whoop, you just have to go in and set it. And anybody who is in a repressive country and sending shit that may get them in trouble to their email account without even using Tor or some other obfuscation is seriously asking for it anyway.

      Now if they had issued a press release that said "Countries A-K will NOT have HHTPS access" that would be one thing, and they'd deserve to get nailed for it. But it is a fricking bug associated with a new feature rollout. Hell why do you think Google is always in perpetual Beta? Because bugs happen, that's why. I'm sure by this time next week they'll have tracked down the uh oh and until then you can manually set it just like you did before since the whole point of this new feature was to set it automatic whereas before it was manual.

      So get off the "ZOMG! UR killin peoplez ZOMG!" bullshit, it was manual before, it is manual now until they get the bug fixed, then it will be automatic. Or are you claiming people in third world countries are too stupid to look for the little lock symbol?

      --
      ACs don't waste your time replying, your posts are never seen by me.
    5. Re:Easy to remedy by hairyfeet · · Score: 4, Informative

      Fun fact:You're wrong. The largest is Yahoo! Mail followed by Gmail with Hotmail third.

      I personally think THIS is why Ballmer had such a hard on to buy out Yahoo! and why they were quick to jump on the search deal, as Yahoo Mail has a TON of users and funnily enough the Yahoo Web Portal is the #1 home page (Yeah I know its a cluttered mess, apparently people like cluttered messes) by a large margin. Hell that damned portal is so popular now the only time I notice anymore is when someone brings in a PC to be fixed and Yahoo Portal ISN'T the default, that is how damned popular that thing is.

      As for TFA they ain't blocking HTTPS they had a bug that screwed up setting HTTPS as default. Surprise surprise new software rollout finds a bunch of bugs that need fixing. Until they chase down the bugs you can either use the FF plugin or just set it manually which isn't exactly a hardship. If this were anyone else it wouldn't even rate a mention but since it is MSFT the tinfoil hatters have to get in a few shots.

      Hell only the old folks use Hotmail anymore anyway, mostly those like my dad that got a branded account with his DSL. I can't even remember the last time I saw a customer under 50 that had Hotmail bookmarked. Everyone else it is Yahoo Mail followed by Gmail for the under 30s.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    6. Re:Easy to remedy by Doc+Ruby · · Score: 2, Insightful

      Dude its a fricking bug. It isn't even a fricking bug that blocks HTTPS, it just doesn't set it as default. Big fricking whoop, you just have to go in and set it. And anybody who is in a repressive country and sending shit that may get them in trouble to their email account without even using Tor or some other obfuscation is seriously asking for it anyway.

      Their "bug" (if that is really what it is) has just exposed a lot of people to arrest, abuse, and murder. Just because you're laying your life on the line every day with what you say in your email because it reflects opposition to your local mass murdering tyrant doesn't mean you should also know a lot about Web technologies. Until today it was sufficiently responsible to use Hotmail with HTTPS. Suddenly it's not, and lots of people at risk will be at much greater risk than they can be expected to realize. And some of them might get killed, beaten or kidnapped for it.

      But it's so easy for you to say "ZOMG" safely from your Web terminal while you do nothing remotely as risky as these people are doing every day.

      --

      --
      make install -not war

    7. Re:Easy to remedy by GameboyRMH · · Score: 3, Informative

      Maybe the same reason that Windows is still the most popular OS. They were the first to make it easy and convenient, and nobody's bothered to change.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    8. Re:Easy to remedy by timothyf · · Score: 2

      The only way anyone would've hit this bug is if they were trying to make their account default to HTTPS while the bug was active. If you'd already set to HTTPS by default, that would still have worked. So, if it exposed anyone to arrest, it would be because they continued past the bug to do risky things anyway.

      http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/ if you want a source.

  2. The Point? by Mitsoid · · Score: 4, Interesting

    Giving up my mod points on the thread to ask... Why?

    Seems like the only advantage this holds is Microsoft can later claim "You should have used someone elses service to discuss anti-dictatorship topics, as our services are not secure or private" ??

    1. Re:The Point? by Nerdfest · · Score: 3, Insightful

      Perhaps these governments buy software from them ... they don't want to lose the sales.

    2. Re:The Point? by jginspace · · Score: 4, Insightful
      As noted below, China is not on the list. I think the summary is misleading. TFA says MS has turned off the 'always-use-HTTPS' option - not the 'HTTPS' option. Otherwise you couldn't get the HTTPS-Everywhere extension to work. From TFA:

      Hotmail users who browse the web with Firefox may force the use of HTTPS by default—while using any Hotmail location setting—by installing the HTTPS Everywhere Firefox plug-in.

    3. Re:The Point? by fuzzyfuzzyfungus · · Score: 3, Funny

      Presumably the US could just ask MS nicely for a neat digest of accounts of interest, delivered from their US-located datacenters, rather than asking them nicely to turn off SSL, and then having to MITM a whole bunch of people in a variety of largely hostile locales...

      SSL doesn't exactly keep Microsoft from reading your hotmail, it just keeps those between you and them from doing so(terms and restrictions may apply...)

    4. Re:The Point? by jd · · Score: 3, Funny

      Well, crypto is still regarded as munitions. Perhaps Microsoft is going to use this to say "we're not breaking the arms embargo but Firefox is"?

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    5. Re:The Point? by Yvanhoe · · Score: 2

      Most hotmail users do not know what HTTPS is. This move effetively disables cryptography for 90% of the users.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
  3. Could they have done it because... by Nutria · · Score: 2

    of the Iranian CA breach?

    If they know that certain governments are decrypting SSL, then it's right to not let people think that their data is secure when it's actually not.

    --
    "I don't know, therefore Aliens" Wafflebox1
    1. Re:Could they have done it because... by Nutria · · Score: 2

      Since MS is warning you before you enter in your username/password, your interpretation is completely wrong.

      --
      "I don't know, therefore Aliens" Wafflebox1
  4. Obsolete info by Anonymous Coward · · Score: 5, Informative

    It was a bug, it has been fixed.
    http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/

    1. Re:Obsolete info by Anonymous Coward · · Score: 3, Insightful

      Wow, that's a lot less sensational than Microsoft depriving troubled nations of privacy. What are the chances that the story will be amended to reflect this?

    2. Re:Obsolete info by M1FCJ · · Score: 2

      A bug only affecting certain oppressive countries?
      That's a bit too dodgy to be true. It sounds more like a cover up than the truth.

    3. Re:Obsolete info by Patch86 · · Score: 2

      Although far less sensational than "MS are evil and oppressing poor victims of the world", it's still a bit of a PR nightmare for MS.

      To be clear, MS have allowed a bug to creep into one of their biggest front-line communication services that caused people in countries like Syria, Bahrain and Iran to lose a key element of their email security, in the middle of one of the biggest popular uprisings / state crackdowns in decades.

      If my oven set my house on fire, I'd be pissed. It would be only small comfort to know the manufacturer didn't do it on purpose.

  5. Why? by cryfreedomlove · · Score: 2, Interesting

    The Microsoft executives who made this decision have worked very hard for their entire adult lives to achieve the position they are in. Many years of hard work in college and climbing the ranks at Microsoft have put them where they are today. So, then, why have they leveraged those years of hard work in the name of oppression?

    Shame, shame!

  6. Interesting... by fuzzyfuzzyfungus · · Score: 2

    I'm genuinely curious what the logic is. "zOMG the Feds!!!" seems unlikely(because Microsoft doesn't exactly have to crack the SSL connection between you and itself to watch you and provide whatever information they wish...) It also seems somewhat unlikely that they received a "disable SSL or we block you" ultimatum, in silence, from a veritable laundry list of undesirable locations at the same time. Those countries also represent a reasonably broad spectrum of different flavors of repressive fucked-upness, and a fair variety of different levels of "they may be dictators with blood on their hands; but they serve our interests", everything from "They are our good buddies who let us headquarter the 5th fleet" to "we would really prefer if they died in a fire.."

    That makes it sort of tricky to assign a foreign-policy based incentive behind Microsoft's activities. Economics, though, isn't obviously more helpful. That list represents one hell of a GDP spread, from "barely subsisting" to "oil plutocracy", so it doesn't seem to be a straightforward 'eh, you guys just aren't worth the SSL costs, fuck it." cutoff.

    Any ideas?

  7. Yahoo??? by jginspace · · Score: 4, Insightful

    Why is summary recommending Yahoo in this instance? Last time I checked (10 mins ago) I couldn't get Yahoo mail to use https on regular pages. It seems Hotmail can still use https in the affected countries - as long as you explicitly type it in the address bar. Or use HTTPS Everywhere. Or choose a different country in your profile. So Hotmail is still better than Yahoo?

  8. Cool it. by westlake · · Score: 4, Informative
    The Register has a calmer take on this story:

    Microsoft is blaming a mystery bug for preventing access to the encrypted version of Hotmail, denying that it deliberately blocked access to the service in Syria.

    On Friday afternoon, the company told The Reg that Hotmail users who had already enabled the HTTPS version of the popular email service were still able to use it. Only Hotmailers trying to turn on HTTPS for the first time in certain countries and languages were being blocked, Microsoft said.

    People trying to connect were greeted with the message: "Your Windows Live ID can't use HTTPS automatically because this feature is not available for your account type."

    Microsoft said it still doesn't know what caused the bug, but it has been resolved and the company is investigating the cause. "We do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world. We apologize for any inconvenience to our customers that this may have caused," a Microsoft spokesperson said.

    The company said users in the Bahamas, Cayman Islands, and Fiji were also affected.

    Microsoft: Mystery bug blocks Syrian secure Hotmail
    Sun worshipers and fat cats hit too [March 26]

    1. Re:Cool it. by pushing-robot · · Score: 5, Insightful

      Ah, those silly Microsoft programmers with their "bugs."

      --
      How can I believe you when you tell me what I don't want to hear?
    2. Re:Cool it. by fremsley471 · · Score: 2

      Mod up indeed. People as cynical as The Register should do more than just report the MS press-release. Someone stated above that hotmail was still the No. 1 mail service. That list of countries just happen to have https choices suspended isn't organised in any programming order. If it was Swaziland, Sweden, Switzerland and Syria, then one would feel more inclined to believe them.

  9. Re:What... the... fuck? by ibsteve2u · · Score: 2

    it was a bug http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/

    Everyone can unwad their panties now.

    My panties? Not mine...I steal 'em from the neighbor's clothesline.

    Wait...is this an https connection? Oh, chit...

    --
    Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
  10. Strange Bug by Anonymous Coward · · Score: 2, Insightful

    Why would it only affect those countries? Testing showed that it only affected people with their location set to certain countries and that merely changing the country would allow it to work again.

    There may be an innocent explanation for that, but it's DAMN strange and really makes it appear that there's spying going on, somewhere.

  11. Banned in China by Anonymous+Bullard · · Score: 2, Informative

    Cryptography is banned in China and territories under their control without a permit by the "communist" party regime. They will have keys for the crypto they allow their subjects to use.

    Big and compliant foreign firms may apply for an exception but obviously that doesn't mean their operations haven't been breached from within.

    --

    Should invading one's peaceful neighbours be opposed, or rewarded with trade deals?

    1. Re:Banned in China by Entropius · · Score: 2

      So when I traveled to China for a conference, I was breaking the law by using ssh to grab files from my computer back home?

    2. Re:Banned in China by Pi1grim · · Score: 4, Interesting

      Yes. But they are not too overzealous when it comes to dealing with tourists (who wants to start international scandal, when the poor bugger is of no threat). Should they be sure that you were using encryption to communicate with dissidents inside China, that would be a totally different story.

  12. Or so they want you to think! by XiaoMing · · Score: 3, Funny

    The company said users in the Bahamas, Cayman Islands, and Fiji were also affected.

    Next week's headline:
    "In unrelated news, local unrest reported in the tropics..."

    1. Re:Or so they want you to think! by coaxial · · Score: 2

      You laugh, but Fiji run by a military junta. (As if you needed yet another reason to avoid drinking Fiji bottled water.)

      Fiji's military ruler defied international pressure to announce elections by yesterday, confirming that he would not hold them for at least five years and setting the stage for his country's expulsion from the Pacific Islands Forum.

  13. Re:What... the... fuck? by RightSaidFred99 · · Score: 2

    Yeah, and whenever some stupid asshole jumps to conclusions and blathers a bunch of paranoid delusional bullshit, have you ever noticed they refuse to accept any explanation other than the evil they initially attributed the incident to? Kind of the mindset of Troofers, Birfers, and anti-Evolutionists really. No matter what evidence you put forward, they will never accept anything other than the delusion that gives them their mental high.

  14. Re:FUCK Microsoft by h4rm0ny · · Score: 4, Informative

    Well it certainly doesn't appear to be a good thing, but let's at least clean up the usual more-incendiary-than-it-needs-to-be summary (TUMITINTBFS). A few months ago, MS added a setting to it's Live accounts, where you could set it to use HTTPS automatically.What appears to have happened is that this has been provided for some countries, e.g. the USA, but not for some Middle Eastern and Eastern European countries (including Iran). So this isn't some long-standing feautre that has suddenly been removed. Also, it seems that HTTPS is still available, but can't be set to be automatically enabled. So the feature is not prevented, merely not as convenient.

    So not a good thing on MS's part, apparently, but at least lets have some decent information.

    --

    Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
  15. Re:FUCK Microsoft by Macthorpe · · Score: 4, Informative

    Apparently it was a bug:

    http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/

    --
    "It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien