March 25, 2011 | By Eva Galperin

Microsoft Shuts off HTTPS in Hotmail for Over a Dozen Countries

UPDATE (3/26/11): HTTPS is again available for those in the countries discussed below. Microsoft denies deliberately blocking access to HTTPS, blaming the problem on a bug:

We are aware of an issue that impacted some Hotmail users trying to enable HTTPS. That issue has now been resolved. Account security is a top priority for Hotmail and our support for HTTPS is worldwide – we do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world.

If you've been waiting for a golden opportunity to download EFF's HTTPS Everywhere Firefox add-on, this is it.

Microsoft appears to have turned off the always-use-HTTPS option in Hotmail for users in more than a dozen countries, including Bahrain, Morocco, Algeria, Syria, Sudan, Iran, Lebanon, Jordan, Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan. Hotmail users who have set their location to any of these countries receive the following error message when they attempt to turn on the always-use-HTTPS feature in order to read their mail securely:

Your Windows Live ID can't use HTTPS automatically because this feature is not available for your account type.

Microsoft debuted the always-use-HTTPS feature for Hotmail in December of 2010, in order to give users the option of always encrypting their webmail traffic and protecting their sensitive communications from malicious hackers using tools such as Firesheep, and hostile governments eavesdropping on journalists and activists. For Microsoft to take such an enormous step backwards— undermining the security of Hotmail users in countries where freedom of expression is under attack and secure communication is especially important—is deeply disturbing. We hope that this counterproductive and potentially dangerous move is merely an error that Microsoft will swiftly correct.

The good news is that the fix is very easy. Hotmail users in the affected countries can turn the always-use-HTTPS feature back on by changing the country in their profile to any of the countries in which this feature has not been disabled, such as the United States, Germany, France, Israel, or Turkey. Hotmail users who browse the web with Firefox may force the use of HTTPS by default—while using any Hotmail location setting—by installing the HTTPS Everywhere Firefox plug-in.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Jail email service @JPay_com's ToS says it owns intellectual property rights over inmate-family correspondence https://eff.org/r.stln

May 5 @ 6:11pm

The Senate has unveiled the PATENT Act—an anti-troll bill. Here's what we like and what we want to see improved: https://eff.org/r.1tdw

May 5 @ 1:10pm

With "automated speech recognition, the NSA has entered the era of bulk listening," reports @the_intercept. https://eff.org/r.1o6b

May 5 @ 12:05pm
JavaScript license information