Some details about the upcoming Hotmail full-session SSL feature

By damaster | Posted October 25, 2010 42 comments

By now you should all have the latest Hotmail update announced back in September 2010. As we mentioned last week, unfortunately the long-awaited full-session SSL (or HTTPS) feature did not make the cut in this update. We know that this feature will be coming quite soon – and we’ve been seeing this option in some of the internal testing sites:

Option

From what we gather, it appears that there will be two options Microsoft will offer for users to enable full-session SSL during their Hotmail sessions: an automatic “always on” option, and a temporary ad-hoc option. You may wonder why have two options? Well it appears that there are some caveats with the automatic “always on” option, as shown in the screenshot below:

Connect with HTTPS

If you enable the option shown above for full-session SSL to be always on, it will cause errors in Windows Live Mail, Outlook Hotmail Connector, as well as Windows Live for Windows Mobile and Nokia phones. As such, if you’re using any of these clients, it is recommended that you use the ad-hoc option – simply type “https” in front of the web address every time you require full-session SSL to be enabled.

Based on this, the intention for each of the two options is quite clear:

  • Use HTTPS automatically only if you frequently use public computers or unsecured wireless connections, and you only use the web-based version of Hotmail.
  • Don’t use HTTPS automatically if you use Windows Live Mail, Outlook Hotmail Connector, or Windows Live for Windows Mobile/Nokia as your main client to receive your re-mails. When browsing the web-based version of Hotmail, simply add “https” in front of the web address (i.e. https://mail.live.com) to use full-session SSL. However, Windows Live will not turn this on automatically if you’ve mistakenly typed in “http” instead of “https”.

While Windows Live for Windows Mobile/Nokia was mentioned, we’re unsure whether the new Windows Phone 7, or Exchange ActiveSync users will be affected by turning on this option. We’ll get more details closer to release, so stay tuned! In the mean time, let us know what you think about this implementation. What is your intended use of full-session SSL? Which category do you fall in? And how will this affect how you intend to use this feature? Let us know in the comments below!

Update: Microsoft has confirmed that turning on “Use HTTPS automatically” option will not affect Exchange ActiveSync users. Windows Phone 7 users also won’t be affected as it uses the Exchange ActiveSync protocol to sync with Hotmail.

Posted October 25th, 2010 at 7:04 am
Category: News
Tags: Hotmail, SSL, Wave 4, Windows Live
  • The black Mamba

    It sucks, I usually use both windows live mail and the webversion. It seems to me that you are secured based on what program that one uses as opposed to having full security regardless of how one choose to use access their email. If using automatic full-ssl seeion entail not using windows live mail, then that feature is prettu useless to me. Hope they change it soon.

    • Damaster – LiveSide.net

      Just type in / bookmark the https link…. I believe the WL ID sign-in page would have something that directs you to the HTTPS version too.

  • The black Mamba

    It sucks, I usually use both windows live mail and the webversion. It seems to me that you are secured based on what program that one uses as opposed to having full security regardless of how one choose to use access their email. If using automatic full-ssl seeion entail not using windows live mail, then that feature is prettu useless to me. Hope they change it soon.

    • damaster

      Just type in / bookmark the https link…. I believe the WL ID sign-in page would have something that directs you to the HTTPS version too.

  • JohnCz

    I’m fine just entering https.

  • JohnCz

    I’m fine just entering https.

  • Custom Computers

    In my opinion Windows Live is fast becoming Windows Dead! Having been a user and supporter since 2004 they have now confused the user base to a degree that many wish to discontinue the service. Many tell me get this crap off my system…we want a simple email and messenger client only. The social networking aspect and continued friend requests from all over the universe is a total waste of my time.

    • Salil

      What requests??? I never got any such requests in the last 3 years.

      • Ray Wall

        I seem to get one to three a week. They are not anyone I know. Mostly they seem to be linked to “adult” websites somehow. I block them and a week later another one or two show up.

  • Custom Computers

    In my opinion Windows Live is fast becoming Windows Dead! Having been a user and supporter since 2004 they have now confused the user base to a degree that many wish to discontinue the service. Many tell me get this crap off my system…we want a simple email and messenger client only. The social networking aspect and continued friend requests from all over the universe is a total waste of my time.

    • Salil

      What requests??? I never got any such requests in the last 3 years.

      • Ray Wall

        I seem to get one to three a week. They are not anyone I know. Mostly they seem to be linked to “adult” websites somehow. I block them and a week later another one or two show up.

  • Joe

    This wood bee a better way protect your infomation online.
    Encrypted password, user ID, or user ID and password security.

  • Joe

    This wood bee a better way protect your infomation online.
    Encrypted password, user ID, or user ID and password security.

  • http://jvd897.blogspot.com jvd897

    As a longtime Windows Live Mail user, I find it pretty annoying how Hotmail has had all these little updates recently that the desktop client doesn’t [fully] support.

    For example, you can create subfolders in Hotmail, and Windows Live Mail can read them, but it still can’t create them itself. And now we learn that Windows Live Mail isn’t compatible with HTTPS either.

    The really annoying thing is that Windows Live Mail Wave 4 has already been released, and you’d think that its developers would have added some level of support for these things in advance, knowing that they were in the pipeline. To me, it looks like a classic case of the left hand not talking to the right. Same goes for the Outlook Connector.

    As it is, it seems like we Windows Live Mail users are going to have to wait for Wave 5, since I don’t think Microsoft has ever updated Windows Live Mail between “waves”.

    • b

      Actually, they have. Not sure if they will add HTTPS to the mail client though.

      I’m also a Windows Live Mail user and this frustrates me as well.

      • http://jvd897.blogspot.com jvd897

        I stand corrected! Thanks.

  • jvd897

    As a longtime Windows Live Mail user, I find it pretty annoying how Hotmail has had all these little updates recently that the desktop client doesn’t [fully] support.

    For example, you can create subfolders in Hotmail, and Windows Live Mail can read them, but it still can’t create them itself. And now we learn that Windows Live Mail isn’t compatible with HTTPS either.

    The really annoying thing is that Windows Live Mail Wave 4 has already been released, and you’d think that its developers would have added some level of support for these things in advance, knowing that they were in the pipeline. To me, it looks like a classic case of the left hand not talking to the right. Same goes for the Outlook Connector.

    As it is, it seems like we Windows Live Mail users are going to have to wait for Wave 5, since I don’t think Microsoft has ever updated Windows Live Mail between “waves”.

    • b

      Actually, they have. Not sure if they will add HTTPS to the mail client though.

      I’m also a Windows Live Mail user and this frustrates me as well.

      • jvd897

        I stand corrected! Thanks.

  • Ray Wall

    Every time I get excited about Windows Live, it seems there is always some weird little thing that pops up that makes the user experience a little more frustrating. I create a ‘go around’ or decide to just live with it and then another thing comes up. Count me as one that is “frustrated with the almost works perfect but never it never comes completely together” camp. If there were quick and frequent updates to software & services it would be different, but like jvd897 says it may be years before this may be addressed.

  • Ray Wall

    Every time I get excited about Windows Live, it seems there is always some weird little thing that pops up that makes the user experience a little more frustrating. I create a ‘go around’ or decide to just live with it and then another thing comes up. Count me as one that is “frustrated with the almost works perfect but never it never comes completely together” camp. If there were quick and frequent updates to software & services it would be different, but like jvd897 says it may be years before this may be addressed.

  • Anonymous

    Wow that’s stupid.

  • sonicyoof

    Wow that’s stupid.

  • http://www.HalliganProjects.com Rob Halligan

    It’s great to see constructive criticism in comments. My issue is MS’s documentation. They don’t fully explain their new programs or take down out of date info. I don’t mind or like the changes they make. Two recent examples follow. I’d like to switch to Hotmail Active Sync but haven’t found enough info to feel confident getting rid of the hosted Exchange Server I have. And I’ve spent too much time trying to figure out what happens to the management of my domains when Office Live switches to Office 365.

    • Ray Wall

      Yeah, kind of odd how you can find more complete and often timelier information on websites like this one than through official channels.

      • damaster

        Completely agree with both of you there. Which is why we at LiveSide try to maintain our “FAQs Plus” section to contain information that are often scattered across different places on Microsoft websites. Feel free to take a look, and if there’s anything you’d like us to include, let us know too! =)

  • http://www.HalliganProjects.com Rob Halligan

    It’s great to see constructive criticism in comments. My issue is MS’s documentation. They don’t fully explain their new programs or take down out of date info. I don’t mind or like the changes they make. Two recent examples follow. I’d like to switch to Hotmail Active Sync but haven’t found enough info to feel confident getting rid of the hosted Exchange Server I have. And I’ve spent too much time trying to figure out what happens to the management of my domains when Office Live switches to Office 365.

    • Ray Wall

      Yeah, kind of odd how you can find more complete and often timelier information on websites like this one than through official channels.

      • Damaster – LiveSide.net

        Completely agree with both of you there. Which is why we at LiveSide try to maintain our “FAQs Plus” section to contain information that are often scattered across different places on Microsoft websites. Feel free to take a look, and if there’s anything you’d like us to include, let us know too! =)

  • davidmk

    That is absolutely pathetic… HTTPS breaks half their products…

    I use all of the products that I shouldn’t use HTTPS with… Outlook Connector, ActiveSync and Nokia Messaging.

  • Anonymous

    That is absolutely pathetic… HTTPS breaks half their products…

    I use all of the products that I shouldn’t use HTTPS with… Outlook Connector, ActiveSync and Nokia Messaging.

  • http://webscannotes.com Lem

    I think the “not recommended to automatically use HTTPS encryption” limitation is only temporary as applications such as Outlook Hotmail Connector and Windows Live Mail are not yet able to accept HTTPS connections; these issues should be fixed before full session HTTPS encryption is released to the public.

  • http://webscannotes.com Lem

    I think the “not recommended to automatically use HTTPS encryption” limitation is only temporary as applications such as Outlook Hotmail Connector and Windows Live Mail are not yet able to accept HTTPS connections; these issues should be fixed before full session HTTPS encryption is released to the public.

  • Juan

    Does that mean outlook connector is not secure? When opening outlook using a open wifi connection email is not encrypted…?

  • Juan

    Does that mean outlook connector is not secure? When opening outlook using a open wifi connection email is not encrypted…?

  • Guest

    That really sucks, I’m using both Windows Live Mail desktop application and web based Live Hotmail. I expect they’ll update WLM near future to support SSL.

  • Guest

    That really sucks, I’m using both Windows Live Mail desktop application and web based Live Hotmail. I expect they’ll update WLM near future to support SSL.

  • Hotmail User

    SSL as an option is better than nothing but it’s not good enough. Most people don’t touch their Hotmail options, much less “techy” security options like SSL configuration. And thus most people will still be wide open to the Firesheep public wifi exploit which is now being exploited to easily access data in other people’s Hotmail accounts.

    Google made full session SSL Gmail the default for all users almost a *year* ago:
    http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html

  • Hotmail User

    SSL as an option is better than nothing but it’s not good enough. Most people don’t touch their Hotmail options, much less “techy” security options like SSL configuration. And thus most people will still be wide open to the Firesheep public wifi exploit which is now being exploited to easily access data in other people’s Hotmail accounts.

    Google made full session SSL Gmail the default for all users almost a *year* ago:
    http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html

  • Waiting for full security

    Google went to all SSL encrypted traffic last January and they found the extra computational effort was negligible. So what’s Hotmail’s excuse?

    http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html:
    In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

    If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more.

  • Waiting for full security

    Google went to all SSL encrypted traffic last January and they found the extra computational effort was negligible. So what’s Hotmail’s excuse?

    http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html:
    In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

    If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more.