Given the extreme hyper-focus on session theft through packet capture and replay (ahem, FireSheep!) in sites like Twitter and FaceBook, it's interesting to see how difficult it is (or if its even possible) to enable HTTPS throughout a popular, high-traffic site that we use every day.
I was hoping to be pleasantly surprised that the "big 3" (Microsoft Live Hotmail, Yahoo Webmail, and Google Gmail) had implemented (or at least had published easy-to-do instructions for) HTTPS encryption throughout the site... not just at the landing or login page.
Since Google's GMail enabled HTTPS throughout the site a while back (January 2010), I wondered if Microsoft and Yahoo had followed suit. I remember that Google had made a big deal about enabling HTTPS throughout their webmail site, but that was a while ago and surely the other of the big 3 had followed suit. Right?
Well... Microsoft Hotmail, had not. Same no-go on HTTPS for Yahoo mail.
Well, hopefully if it's not enabled by default, it's still possible to manually select that option, right?
As far as I can find, Yahoo! has no option for enabling HTTPS throughout the site. I created an account (paid account, mind you) signed in, and checked... nothing. I couldn't find a single option or hint at setting up HTTPS throughout Yahoo! webmail. That's just shameful.
Now, Microsoft's Hotmail doesn't encrypt the entire site by default... but I am happy to report that I did find an option to encrypt the entire site in the account settings. There is a catch though, and you're probably not going to like it if you're like me. Here's how to encrypt your entire webmail session if you're using Microsoft Hotmail:
- Once you're logged in, click on your name in the top-right corner, and select Account
- From the Account page, in the Other Options section, select Connect with HTTPS
- Here you'll want to select "Use HTTPS automatically (please see the note above)"
Wait ...what is this "please see the note above" all about? Oh ...
-snip-Important note: Turning on HTTPS will work for Hotmail over the web, but it will cause errors if you try to access Hotmail through programs like:
- Outlook Hotmail Connector
- Windows Live Mail
- The Windows Live application for Windows Mobile and Nokia
If you only need a temporary HTTPS connection, enter "https" in front of the web address instead of "http".
So ...let me get this straight, since I use the Outlook Hotmail Connector (or really, it could be any of the desktop app-lets) I can't use HTTPS throughout the site? Ahh... I see the problem now.
The desktop installs of each of these are built to only use HTTP, so if you set it to force encryption throughout on the webmail site - your desktop plug-in will fail because it won't understand the server forcing it to HTTPS.
This is one of the unfortunate side-effects of Microsoft being flexible and allowing their webmail to act as a full desktop mail client or plug-in. In the short-term, I strongly encourage you to check the "Use HTTPS automatically" option... even though your desktop plug-in might break you're still better off until Microsoft rolls out updates to the different plug-ins they support.
Just stick to the web browser (and HTTPS-only) version of Hotmail ...trust me.
So in summary here's how it looks:
- [Best] Google Gmail - HTTPS throughout by default...since January 2010
- [Livable] Microsoft Hotmail - HTTPS throughout not by default, option to select but breaks desktop app-lets
- [Unacceptable] Yahoo Webmail - HTTPS throughout not by default, in fact not even available as an option