Helping people with computers... one answer at a time.

https is an important step to keeping the information you send and get on the web private. Hotmail uses it for login, but not thereafter.

Why is there a "http" in the address bar as a prefix when I log into Hotmail rather than an "https"? Other email servers' addresses (Gmail, Yahoo, etc.) seem to generally have the prefix "httpS" [capitalized for emphasis by me] ("https://www.google.com..." etc.), yet I noticed that Hotmail's reads "http://login.live.com/login..." once I've typed in "www.hotmail.com". Should I feel less safe logging into my Hotmail account rather than my Gmail one since there's no "https"?

It depends on what you're attempting to protect yourself from, but in general the answer is: yes. There's a slightly higher risk if Hotmail's not using https.

And unfortunately, it appears that for certain common operations Windows Live Hotmail cannot use https at all.

First, logging in.

When you login to Windows Live Hotmail you'll typically see the Windows Live login page sign in form:

Windows Live Hotmail Enhanced Security Link

Note the "enhanced security" item I've highlighted. That's actually a link. If you click on it, you'll see the same sign in form, but with this URL displayed in your address bar:

Windows Live Hotmail Enhanced Security URL

Note that it's https. In fact, it's "enhanced" https, indicated by the green bar naming Microsoft Corporation as the owner.

That's great, and it's safe to assume at this point that your Windows Live Hotmail login information is being encrypted - your username and password are safe from network sniffing.

Then things take a disappointing turn.

Once you login you'll see your address bar return to something like this:

Windows Live Hotmail URL when reading

"As far as I can tell, there's no way Windows Live Hotmail can be coerced to use an https connection for reading."

That's not https. It's not encrypted.

That means that while your login information has been encrypted and could not be sniffed, the actual contents of your email as you read and send messages is being transmitted in the clear. Are you reading your Hotmail using an open hotspot in an internet cafe? Anyone within range and with the right software could be reading it along with you.

As I said: disappointing.

As far as I can tell, there's no way Windows Live Hotmail can be coerced to use an https connection for reading.

Contrast that to this option in GMail:

GMails always use https option

Select that option and no matter how you get to GMail it will always switch to an https connection, encrypting not only your login, but your email as you read and send it.

It's not a trivial problem for Microsoft to solve, but in my opinion, solve it they must. Hotmail just isn't as secure as it should be without it.

The good news is that Windows Live Hotmail's recently released POP3 and SMTP access use encryption, and connections using your desktop email clients are safe from sniffing.

Article C3653 - February 18, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

12 Comments
John O
February 21, 2009 9:22 PM

SSL only protects sending receiving the emails from my browser, right? My emails are still not encrypted in Gmail or hotmail mail servers. Also are the emails transfer in encrypted form between email servers?

You are very correct. Email is not encrypted when stored on mail servers, and it's also typically not encrypted when transmitted between servers.

More to the point, it may also not be encrypted when your recipient views or downloads it depending on their connection settings.
- Leo
22-Feb-2009

John O
February 22, 2009 6:52 PM

Thanks for the answers. So the SSL thing in Gmail only solves a small part of the problems, my emails are still pretty much not secure. I guess at least having SSL is the first step towards more secure emails. Baby steps...

bill
February 24, 2009 10:42 AM

The most unsecure thing for most emails is what the person who receives it does with it. All the security in the world (short of making it unreadable by anyone) is lost if the receiver posts it on many forums.

A lot depends on what you are sending and why somone would want to look at it.

If you are sending bank account information to a trusted receiver, I certainly wouldn't do it from a public computer or via an unencrypted site. If a crook goes to the work to hack into Google's servers he is not likely to find your information among the billions of messages there unless he has some way of knowing what to look for.

Sandy Smith
February 24, 2009 9:26 PM

Thanks fot the giving the setting for Gmail - so you access it http - I didn't have that selected (I just did it now.) I looked into encrytion for email and cryptainer wasn't bad but the recipient has to have the program as well making that a difficult solution sometimes. I am hoping there will be software in the future that addresses the need for encryption for email.

John O
February 25, 2009 1:58 AM

What software do you guys use to encrypt emails?
Leo, do you have any recommendations for email encryption software (preferably free)?

I ended up writing a new article on that: How do I encrypt email?
- Leo
25-Feb-2009

Sandy Smith
February 25, 2009 10:51 AM

Just an update to my earlier comment... I had to disable "Always use https" for Gmail because I could no longer access Gmail from my Blackberry.

Sandy Smith
February 25, 2009 7:12 PM

A further update... I kept screwing around with the Blackberry and got it to run Gmail with "always use https." I just kept trying. I recently upgraded my Blackberry OS from 4.2 to 4.5 so that could be why - that OS is relatively new. So, if anybody having trouble just keep trying - keep signing in - keep loading it... it eventually took.

Naomi Paulette Hamm
March 7, 2009 10:37 AM

Yes, I am having troubles logging on as always. As for as reading all that stuff, takes too much time, would cost too much to print and I still don't understand it anyway. I have had an on-going troubles with my windows live hotmail, such as even now. As it seems a lot of us have had. Some people seem truly, understandably annoyed. Please I wish you'd fix this problem ASAP thank you Naomi Paulette

You wish I would solve this problem? I can't. I'm not Hotmail. I'm not Microsoft.

Reading this stuff takes too much time? Unfortunately using computers requires education of some sort, and that means that yes, you need to read and understand information about the services you're trying to use. While it would be nice if everything "just worked", it's not going to happen. We all need to understand the tools we're using, there's no escaping it.
- Leo
08-Mar-2009

Lars Norlin
November 25, 2009 5:22 AM

Hi, thanks for this article and the confirmation of the missing https service with Hotmail. I just noticed this (the lack of http security when using Hotmail) a few days ago and you article confirms what I suspected. Hotmail cant and don't provide any https service. This is not acceptable!! From now on I will not use Hotmail for personal correspondence at all. As I see it Hotmail is only usable as a "spam" mail service, i.e. I give out my Hotmail address whenever I need to supply one to use a Internet service. /Lars

dijitul
December 4, 2009 2:34 AM

The primary benefit of HTTPS for webmail systems is not protecting your email from being compromised on forums or by the receiver. It's to protect your personal email and login information from interception by prying eyes when you're using public computer systems (cafe, wifi, etc.). And, while the server may or may not encrypt your email in storage, it's more unlikely to be compromised in this state than if it were saved on the hard drive of the sender or recipient. The webmail providers generally do a reliable job of preventing hackers from breaking into mailboxes. Also, HTTPS web pages are generally not stored in your browser's cache.

Justin Goldberg
January 5, 2010 8:23 AM

you could pop3 and smtp from gmail to hotmail!

Miles Bennet
April 14, 2011 1:00 PM

Yo!

Some tips for you, boys and girls:

You CAN go "secure" on the Hotmail. Just replace http with https.
Next, accept certificate exception (idiotic, yes).
After, you'll be asked by the hotmail itself whether to always use https. Say YES. And, voila.. that's it!

:)

And then, use Gmail instead.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.