
Microsoft Shuts off HTTPS in Hotmail for Over a Dozen Countries - there
https://www.eff.org/deeplinks/2011/03/microsoft-shuts-https-hotmail-over-dozen-countries
======
wheels
That's _almost_ a list of the countries that US has present embargoes with –
close enough anyway to make me think it's not a coincidence.

Perhaps they're using strong cryptography and those are the nations which are
not approved to export crypto to (and hence, perhaps not supported in local
versions of IE)?

<http://en.wikipedia.org/wiki/United_States_embargoes>

[http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_U...](http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_United_States#Current_status)

~~~
Natsu
El Reg talked to Microsoft and claims it's a bug. Still, why would changing
one's country make HTTPS available again? Why those countries?

All in all, it really makes them look bad, even if there's an innocent
explanation.

[http://www.theregister.co.uk/2011/03/26/microsoft_https_hotm...](http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/)

~~~
WalterGR
_Still, why would changing one's country make HTTPS available again?_

Despite EFF's headline, it doesn't sound like this made _HTTPS_ unavailable,
but rather the "always-use-HTTPS" setting.

 _Why those countries?_

Here's a guess: it was a localization issue.

I bet changing your country changes your default language. And I also bet that
the availability of localized strings (i.e. "Is string 8230 available in
language X?") affects what options are shown to the user. After all, if a
descriptive string isn't available in the user's current language, how do you
show them the option?

So what exactly happened? I don't know. Maybe they whacked some part of a
localization table. Or rolled back to a previous localization table. Or
mangled mappings from "language" to "current localization table". Software is
complex.

 _All in all, it really makes them look bad, even if there's an innocent
explanation._

The timing certainly invites theories of maliciousness.

~~~
Natsu
While that seems like a plausible explanation, I have a hard time
understanding what changed to trigger it. I mean, surely they had it
translated beforehand, so what mangled things to make it believe there was no
translation?

Also, weirdly enough, the error that got shown was in English. Not that it
proves anything, but it makes it seem like the language settings were set to
English, in spite of the location.

So, yeah, I'm going to be very curious about the explanation of this one. For
the record, I do think that it could be innocent, but this kind of thing
_really_ invites people to think the worst.

------
tshtf
I'm surprised the EFF didn't ask Microsoft for a response on this.... If any
news release by the EFF deserves a third-party response, this is it.

------
ajays
Looking at the list, I bet they included Congo, Nigeria, etc. to hide the fact
that most of the countries in that list are currently in some state of
turmoil. It would have looked really ugly if they had done it just for those
countries; so they threw in the Congolese and Nigerians too.

MSFT has 90,000 employees; surely some of them can speak up about this, and
how it jeopardizes the people in those countries who are struggling for
freedom?

~~~
zcrar70
why would the fact that the countries are in turmoil cause MS to remove HTTPS
for hotmail? Do you think that MS has links to the governments of those
countries (and is somehow trying to make it easier for the local governments
to crack down on dissidents by tapping their email communications)?

~~~
ajays
I hope you don't take offense, but: I think you're being extremely naive.

Here's how the logic works: MSFT does business in these countries. These
countries have a sudden desire to monitor some citizens' communications (which
include Hotmail accounts). HTTPS prevents this monitoring, so these countries
lean on MSFT. Ergo, MSFT shuts down HTTPS access to Hotmail.

For a lot of these regimes, it's a matter of survival to crush dissent. MSFT
just made that a little bit easier.

~~~
adolph
I hope you don't take offense, but: I think your argument sounds like a
conspiracy fantasy.

Let's say there are two options to consider: 1. There is a localization bug
that affects the always-https setting. 2. Microsoft wants to do business with
those countries and purposefully created a defect in always-https.

The first case is very plausible (to me at least). Defects happen, some are
more visible than others.

The second case is less plausible to me. The current pattern of governments is
to request by local-law the ability to monitor/control communications without
the citizen knowing. An example similar to this hypothetical that is often in
the news is countries that request a Blackberry messaging server in-country.

Q: Why would Microsoft collude with these regimes to crush dissent in such an
obviously noticed and easily defeated way?

A: Because their evil regime assistance unit is incompetent.

Q: Why would you choose that over the more simple first case of a localization
bug?

~~~
burgerbrain
Sufficiently advanced incompetance is indistingiushable from malice.

------
jackowayed
I don't think I buy the conspiracy theories being presented on this thread.
What, Microsoft was bullied by the government of Myanmar? Even if these
countries said to Microsoft "turn off HTTPS or we're blocking Hotmail", I
think they would have opted for the latter. And Google is still serving GMail
over SSL to these countries, right?

My guess: These are all countries that I would guess have pretty high latency
from Microsoft's servers. The SSL handshake requires several roundtrips, as I
understand it, which means that high latency would hurt performance
significantly.

~~~
rbanffy
> Even if these countries said to Microsoft "turn off HTTPS or we're blocking
> Hotmail"

What if they said "drop HTTPS and, as soon as this turmoil ends, we will
modernize our government IT"?

------
carbonx
Misleading headline. HTTPS was only shut off if you a) set your location
manually, and b) tried to enable a (relatively new) feature to force your
account to always connect with HTTPS. It sounds like someone really just
stumbled across a bug...and, oh by the way, it's been fixed.

------
sushilchoudhari
This issue has been resolved now as per internal sources :-). The
functionality has been returned to previous state.

~~~
djcapelis
This doesn't really make me feel a lot better. I'm glad they backtracked, but
doing so quietly once they got caught does not inspire much faith in their
passion to make technology that makes the world a better place.

~~~
rbanffy
Perhaps the "troublemakers" were successfully identified. No need to continue
with this extremely unpopular (among users) thing.

Even if not all of them could be identified, the ones who were will certainly
cooperate with authorities.

------
emilsedgh
A few days after the iranian goverment and comodo incidence, hotmail removes
its https option for iranians.

I dont know what the reason is. But its just unacceptable. Hotmail knows
Iranian goverment is after sniffing users data. Iranian cracker tried issuing
a certificate for Hotmail. Now they remove https option?

------
tomp
> The good news is that the fix is very easy.

Is it just me, or is there a strong correlation between decisions that seem
bureaucratic and politically motivated, and are completely ineffective at
achieving their purpose (at least for the technical users)?

(I have the recent India vs. .xxx news in mind as well.)

~~~
sushilchoudhari
This issue has been resolved now as per internal sources :-). The
functionality has been returned to previous state, regret any inconvinience

------
logic_magic
why would they do this? Something feel so odd about this.

~~~
riffic
pure evil. see <http://en.wikipedia.org/wiki/Banality_of_evil>

------
bugsy
That's extremely interesting, particularly the specific list of countries.

I bet it was not Microsoft who originated the decision to do this.

------
ck2
Countdown to google following after threats from governments.

It's just like the blackberry decryption keys being turned over.

~~~
kragen
What happened with the BlackBerry decryption keys? Do you have a link?

~~~
getsat
<http://www.bbc.co.uk/news/technology-10951607>

~~~
kragen
At the time described in that story, RIM was reportedly not handing over the
encryption keys to anybody. What happened?

~~~
getsat
Hmm, looks like it's still ongoing:
[http://www.digitaltrends.com/mobile/india-gives-rim-
march-31...](http://www.digitaltrends.com/mobile/india-gives-rim-
march-31-email-access-deadline/)

------
vidyesh
This is really stupid, Hotmail isn't secure anymore. And how come Microsoft
hasn't responded yet ???!!!

