March 25, 2011 | By Eva Galperin

Microsoft Shuts off HTTPS in Hotmail for Over a Dozen Countries

UPDATE (3/26/11): HTTPS is again available for those in the countries discussed below. Microsoft denies deliberately blocking access to HTTPS, blaming the problem on a bug:

We are aware of an issue that impacted some Hotmail users trying to enable HTTPS. That issue has now been resolved. Account security is a top priority for Hotmail and our support for HTTPS is worldwide – we do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world.

If you've been waiting for a golden opportunity to download EFF's HTTPS Everywhere Firefox add-on, this is it.

Microsoft appears to have turned off the always-use-HTTPS option in Hotmail for users in more than a dozen countries, including Bahrain, Morocco, Algeria, Syria, Sudan, Iran, Lebanon, Jordan, Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan. Hotmail users who have set their location to any of these countries receive the following error message when they attempt to turn on the always-use-HTTPS feature in order to read their mail securely:

Your Windows Live ID can't use HTTPS automatically because this feature is not available for your account type.

Microsoft debuted the always-use-HTTPS feature for Hotmail in December of 2010, in order to give users the option of always encrypting their webmail traffic and protecting their sensitive communications from malicious hackers using tools such as Firesheep, and hostile governments eavesdropping on journalists and activists. For Microsoft to take such an enormous step backwards— undermining the security of Hotmail users in countries where freedom of expression is under attack and secure communication is especially important—is deeply disturbing. We hope that this counterproductive and potentially dangerous move is merely an error that Microsoft will swiftly correct.

The good news is that the fix is very easy. Hotmail users in the affected countries can turn the always-use-HTTPS feature back on by changing the country in their profile to any of the countries in which this feature has not been disabled, such as the United States, Germany, France, Israel, or Turkey. Hotmail users who browse the web with Firefox may force the use of HTTPS by default—while using any Hotmail location setting—by installing the HTTPS Everywhere Firefox plug-in.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

New Dutch surveillance law may allow bulk interception of encrypted communication: https://eff.org/r.27eh

Jul 30 @ 5:31pm

Netzpolitik confirms that German authorities are investigating its journalists for reporting on mass surveillance: https://eff.org/r.o8c5

Jul 30 @ 5:14pm
Jul 30 @ 2:56pm
JavaScript license information