Thursday, November 11, 2010

Thoughts on Microsoft's Hotmail SSL deployment

Update 10:00pm: I was contacted by an extremely well informed individual who told me that my speculation about Microsoft's webserver SSL performance was completely wrong. The individual declined to reveal the reason why the company opted to make SSL opt-in, which makes the decision even more curious. Why expose users to needless security risks if protecting them doesn't require significant additional computing resources.

On November 9, Microsoft rolled out opt-in HTTPS (SSL) protection for its Hotmail service, which came just a couple weeks after Firesheep made the importance of such security measures quite clear. For those of you just tuning in to SSL issues, Microsoft's announcement might seem like a great move. This blog post will explain why Microsoft deployed this security enhancement, why it hasn't done it by default, and why it should.


Over the past few years, researchers released several security tools that automated the capture of credentials and session cookies, allowing an attacker to easily hijack user accounts that were logged into over an insecure wifi connection. In October, 2008, Mike Perry released Cookiemonster, which made session hijacking against several major popular web 2.0 services even easier. Across the board, webmail and social networking services totally ignored the individual pleas from security researchers and academics that they protect their users by default. Google offered SSL, but disabled it by default, and the other big companies, Facebook, Microsoft, Yahoo, didn't offer SSL at all.

Fed up with the lack of any progress, in June 2009, I published an open letter to Google's CEO, asking him to protect his customers and deploy SSL default. 37 other big name security researchers, academics and legal experts signed on, helping to get a bit of press attention. Google soon said they'd begin to study the possibility of deploying SSL by default, and then in January 2010, the company did it -- encrypting every Gmail users' entire session by default.

In addition to publishing the open letter, I sent copies of it to privacy bigshots at both Microsoft and Facebook, and told them, essentially, "don't make me write a letter for you too." Individuals at both companies thanked me for the warning, and told me they were looking into the possibility of offering SSL.

In March 2010, outgoing FTC Commissioner Pamela Jones Habour spent much of her final public speech talking about SSL.
Even though these service providers know about the vulnerabilities, and the ease with which they can be exploited, the firms continue to send private customer information over unsecured Internet connections that easily could have been secured.

My bottom line is simple: security needs to be a default in the cloud. Today, I challenge all of the companies that are not yet using SSL by default. That includes all email providers, social networking sites, and any website that transmits consumer data. Step up and protect consumers. Don’t do it just some of the time. Make your websites secure by default.
Commissioner Habour's remarks were, to my knowledge, the first time a senior government official had ever weighed in on the issue. The fact that this happened seven months after I joined the FTC is entirely coincidental.

Microsoft's move towards SSL

Just one month later, in April 2010, Microsoft announced that they too would soon offer SSL, although not by default. Fast forward to November 9, 2010, and Microsoft has made good on its promise.

Users who go out of their way to type will now receive protection for just that session. Furthermore, the first time users type in the https URL, they see a helpful dialog offering to make SSL the default for future connections.

The dialog states that Microsoft recommends the use of HTTPS by default. The problem with this, of course, is that Microsoft only shows this dialog to consumers who know enough about SSL to have visited the secure version of hotmail in the first place.

Consumers who do not know about the risks of using Hotmail over an insecure wifi connection will never see this dialog, and will thus not know that Microsoft recommends they use SSL by default.

That isn't the only way that Hotmail users can discover the availability of SSL and turn it on.

Hotmail users who regularly read the Inside Windows Live blog may have seen Microsoft's announcement of its SSL deployment, where the company announced a special URL that Hotmail users can visit to set the SSL preference: (shown below).

Curiously, neither the Inside Windows Live blog, nor the special ManageSSL web page state that Microsoft recommends the use of SSL by default, and the ManageSSL web page even has the "Don't use HTTPS automatically" option pre-selected by default.

Realistically, the vast majority of Hotmail users simply type "" into their browser, and do not read the Inside Windows Live blog, and so will be completely unaware that Microsoft now offers an SSL option. There is no mention of SSL on the regular Hotmail front page.

These users are not completely out of luck, as there is a preference within the Hotmail options that they can flip to enable SSL by default. From within their Hotmail Inbox, they need to click on "Options", then "More Options", then "Account details (password, aliases, time zone)", then "Connect with HTTPS" (the last option on the page), then "Use HTTPS automatically", and finally, click "save". See, that was easy. It only took 6 mouse clicks.

Why Microsoft doesn't use SSL by default for Hotmail

At the same time as Microsoft started to offer SSL as an option for Hotmail, it also enabled SSL by default for its SkyDrive, Photos, Docs, and Devices products. What is the difference between these services? Hotmail has lots of users, and no one uses Photos or Skydrive. Simply put, it is easy (and cheap) to deploy SSL for a service when it only has a few (hundred?) thousand users. Hotmail, which reportedly has over 500 million users, is a bit more expensive to protect.

"Wait a minute.. didn't Google say they didn't need any additional servers for SSL?" you may ask. Yes, it's true. Google was able to deploy SSL by default on their their existing servers, and according to Adam Langley, a senior Google engineer, after tweaking the OpenSSL library used by Google, SSL accounts for just 1% of the CPU overhead on those servers.

However, Google has a top notch server infrastructure, running on Linux, and a lot of really skilled engineers. Microsoft, on the other hand, uses their own products.

While Microsoft doesn't reveal too many details about the infrastructure hosting Hotmail, from Netcraft, we can see that they are using their own IIS/6.0 webserver (Netcraft lists the OS as Linux, but that is because Akamai is sitting in front of Microsoft's servers). It is of course understandable that Microsoft likes to use its own products -- unfortunately, the IIS webserver isn't very good, does not use OpenSSL, and thus SSL likely consumes quite a bit more CPU than the 1% hit that Google described.

As such, I suspect that Microsoft has instead opted to either: Pay Akamai to take care of SSL, or the company bought a large number of off the shelf SSL accelerator devices. In either case, SSL is likely costing Microsoft real money -- and, given that the company's Online Services Division lost half a billion dollars last year, it isn't too surprising why the company might be keen to try and keep its SSL related costs to a minimum.

Simply put, if Microsoft is paying a direct financial cost for SSL, then it is easy to understand why it is not offering SSL to its 500 million hotmail users by default.

What should Microsoft (and other companies) do?

When it comes to privacy and security, I think that the government can play a really important role in protecting consumers, particularly when the market has failed to deliver products that are safe by default. The problems that Firesheep has highlighted existed for years, in fact, as long as Hotmail or Facebook have existed, they have been vulnerable to account hijacking. These companies have had more than enough time to protect their customers, and have simply ignored the problem.

While I do think that privacy regulators can play a role here, I don't think it is appropriate for regulators to require that companies deliver specific products -- things get very messy when technology-ignorant bureaucrats mandate product features. However, I do think that governments can, and should compel those companies that have not protected their customers by default to at least warn users about the risks.

Earlier this year, I published a law journal article about encryption in the cloud -- which specifically focuses on fact that most services don't even offer SSL, let alone turn it on by default. In that article, I argue that if companies do not wish to protect their customers, they should at least warn them about the risks of connecting to their services when using an insecure wifi connection. Knowing that companies are unlikely to voluntarily provide such notices, I call on the government to compel the display of cigarette packet style warnings for insecure cloud based services, such as:

WARNING: Email messages that you write can be read and intercepted by others when you connect to this service using a public network (such a wireless network at a coffee shop, public library or school). If you wish to protect yourself from this risk, click here for a secure version of this service.

WARNING: The word processing documents that you create using this service can be read and modified by others when you connect to this site using a public network (such a wireless network at a coffee shop, public library or school). Widely available technologies exist that will protect you from these risks, but this service provider has opted to not offer such protective functionality.

Of course, I suspect that Microsoft and Facebook would rather eat the financial cost of deploying SSL, even if it runs into the millions of dollars, rather than display such a scary warning.. and that is exactly the point. Simply by forcing companies to reveal known risks in their products, governments can gently nudge companies to protect their customers.


Anonymous said...

I wish my mom had the time to read this.

I still love you though

Anonymous said...

"Your Windows Live ID can't use HTTPS automatically because this feature is not available for your account type." -- Some users can't opt-in if they want to.

Jason M. Christos said...

It seems to me in many cases unencrypted connections is by default plausibly deniable whereas encrypted connections are very much less plausibly deniable. This is just something to think about when using encryption. Also so far as the not by default it would seem that even with encryption privacy is easily compromised by bad security measures. If someone doesn't know to type in https:// maybe they need to learn more how much can https:// do when data mining bots may be installed on the system or a Trojan in which case https will not protect privacy. I think an informational page about using https would be much more helpful than just enabling it by default to unknowing people.

tOM Trottier said...

It is possible to make that automatic in Firefox for sites which DO support SSL by using HTTPS EVERYWHERE or an option under NOSCRIPT addons.

As well as using HTTPS with web communications, one should also use Secure Sockets Layer when using a mail client like Pegasus Mail or Thunderbird which download all mail rather than browsing it in the cloud.

One easy way to do this with any email client is to use the POPfile program. As well as categorising email using baysian methods, it can sit on your machine offering a simple POP interface to your email client while using SSL when communicated with your email server. GMAIL and others support SSL email.

Of course, this is all moot when Google chooses to disclose info to any government which asks extralegally.