Updates at the foot of the post.
Hotmail users in the Middle East, Africa and Asia have had secure access to their email accounts disabled, after Microsoft turned-off its “always use HTTPS” option within its popular email service, potentially allowing governments and hackers to eavesdrop on sensitive communications.
Initially reported by Jillian C. York, the issue was originally thought to only encompass Arabic and Iranian users, but with further investigation by the Electronic Frontier Foundation (EFF), it was found to be affecting users in more than a dozen countries, including: Bahrain, Morocco, Algeria, Syria, Sudan, Iran, Lebanon, Jordan, Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan.
If a user from one of these countries tries to enable the “always use HTTPS” feature to read their mail more securely, they are met with the following error:
Your Windows Live ID can’t use HTTPS automatically because this feature is not available for your account type.
Microsoft introduced the secure feature in December 2010 to provide its users with the option to encrypt all traffic sent via Hotmail servers. The option added further protection to users of the service on public networks but also to users that resided in countries where Internet traffic was monitored by government agencies.
Whether Microsoft has purposefully cooperated with requests by various governments is not known at the time of writing but it does highlight a massive error in judgement by the Redmond-based company to jeopardise the security of its users.
Luckily there is an easy way to re-enable the HTTPS feature. A Hotmail user simply needs to head into their account, click into their Settings and then change the country listed in their profile to a country where the option has not been disabled – for example the UK or the United States.
There are various HTTPS extensions available for open source browsers including Chrome and Firefox but it is not guaranteed that communications are encrypted from start to finish as Hotmail directs users via a number of different servers upon sign-in.
Update: A Microsoft representative contacted us to tell us that the HTTPS disabling was an error on Microsoft’s part and that service to all users has been restored:
We are aware of an issue that impacted some Hotmail users trying to enable HTTPs. That issue has now been resolved. Account security is a top priority for Hotmail and our support for HTTPS is worldwide – we do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world. We apologize for any inconvenience to our customers that this may have caused.