Which is more secure Outlook or Hotmail?

[Dirk]

Outlook which has certificates encryption and signing seems very private and
secure. Are there any vulnerability points between me and recipient of my
email when
I use Outlook to encrypt and sign? How does Hotmail compare security and
privacy-wise with Outlook?

 

[Steve Riley [MSFT]]

Hotmail is a web-based email provider. Outlook is a mail client for
Exchange, POP3, and IMAP4 mail servers. They aren't directly comparable
(although you can also configure Outlook to read your Hotmail, as well).

Encrypting and signing mail requires the use of digital certificates. If you
want to sign your own email, you'll need your own certificate and private
key. Outlook will use your private key to encrypt a hash of your message,
then attach that hash as the signature to the email. The person who receives
your mail will need your certificate (with your public key) to verify your
signature. If you want to send encrypted mail to someone else, you'll need
their certificate. Outlook will use their public key to encrypt the email.
The other person will use their own private to decrypt it. This whole
process of signing and encrypting email follows an Internet standard called
S/MIME. Most email clients support this.

When you use the Hotmail web interface, there's no option to sign or encrypt
email. If you use Outlook to read and compose your Hotmail mail, then you
can use Outlook's built-in support for S/MIME.

The remaining question, then is where to get digital certificates?
http://office.microsoft.com/en-us/marketplace/EY010504841033.aspx is one
place that lists some choices for you.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Dirk" <d> wrote in message news:O8iYxUx6HHA.5772@TK2MSFTNGP03.phx.gbl...
> Outlook which has certificates encryption and signing seems very private
> and
> secure. Are there any vulnerability points between me and recipient of my
> email when
> I use Outlook to encrypt and sign? How does Hotmail compare security and
> privacy-wise with Outlook?
>

 

[Anteaus]

As said they are two differnt approaches, and cannot be directly compared.

The main risk with Hotmail is that of using Internet Explorer to access it,
and then absentmindedly continuing to do general surfing with it, and
inadvertently accessing a malware site which exploits its security
weaknesses. That is by far the most common way in which machines get
compromised.

Outlook used to be a security disaster-area, but recent versions have
substantially improved on that situation. However I would still be careful
about opening untrusted HTML messages in Outlook.

If you want to achieve security then:

1. Don't use Internet Explorer, for Hotmail or anything else. Get Firefox.

2. Use a more-secure POP/IMAP mailreader such as Thunbderbird.

 

[S. Pidgorny]

G'day:

"Anteaus" <Anteaus@discussions.microsoft.com> wrote in message
news:6257347E-B86D-42E0-

> Outlook used to be a security disaster-area, but recent versions have
> substantially improved on that situation. However I would still be careful
> about opening untrusted HTML messages in Outlook.

How do you know it's untrusted and HTML without opening the message?

> If you want to achieve security then:
>
> 1. Don't use Internet Explorer, for Hotmail or anything else. Get Firefox.
>
> 2. Use a more-secure POP/IMAP mailreader such as Thunbderbird.

There were some nasty vulnerabilities. You should have suggested browser and
mail client with zero known vulnerabilities - like Pocket IE.

Back to subject. You have to update Firefox and Thunderbird constantly. You
don't need to do that for Hotmail - or other hosted services. That is
another difference.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

 

[Stefan Kanthak]

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote:

> G'day:
>
> "Anteaus" <Anteaus@discussions.microsoft.com> wrote in message
> news:6257347E-B86D-42E0-
>
> > Outlook used to be a security disaster-area, but recent versions have
> > substantially improved on that situation. However I would still be careful
> > about opening untrusted HTML messages in Outlook.
>
> How do you know it's untrusted and HTML without opening the message?

Just discard the HTML and let the client display (not interpret!) the
text-part only!

JFTR:

* Can you switch to a text-only view in your browser too?
If a hosted service ever gets compromised that might be helpful.-)

* Can you switch your hosted service to display foreign, untrusted
content without any embedded malicious code?

If not, then the local email/news client has an advantage!

> > If you want to achieve security then:
> >
> > 1. Don't use Internet Explorer, for Hotmail or anything else. Get Firefox.
> >
> > 2. Use a more-secure POP/IMAP mailreader such as Thunbderbird.
>
> There were some nasty vulnerabilities. You should have suggested browser and
> mail client with zero known vulnerabilities - like Pocket IE.
>
> Back to subject. You have to update Firefox and Thunderbird constantly. You
> don't need to do that for Hotmail - or other hosted services. That is
> another difference.

Don't you use a browser to access Hotmail or other hosted services?
Then you'll have to update that browser.
If you use an email client instead, you have to update that one.
Either way, you have to update your client.

Stefan

 

[S. Pidgorny]

G'day:

"Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message

>> How do you know it's untrusted and HTML without opening the message?
>
> Just discard the HTML and let the client display (not interpret!) the
> text-part only!

So "untrusted" part is kinda redundant, isn't it?

> * Can you switch to a text-only view in your browser too?

In all absurdity of suggesting product instead of a practice for security,
let's all use Lynx!

> If a hosted service ever gets compromised that might be helpful.-)

No. I have, and I'll continue opening HTML pages wherever I like. Avoiding
advanced features that are available in modern software is no substitute for
secure computing.

> * Can you switch your hosted service to display foreign, untrusted
> content without any embedded malicious code?

You tell me - can I do that in Hotmail?

> Don't you use a browser to access Hotmail or other hosted services?
> Then you'll have to update that browser.

I have mentioned one browser that never required updates because there are
no (known) vulnerabilities in it. I'm also currently use Symbian browser on
a Nokia microcomputer. Software that doesn't require updates is here for a
while now. And hosted services tend to be better maintained from security
perspective because they are bread and butter for those running them.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

 

[Anteaus]

"Stefan Kanthak" wrote:


> Don't you use a browser to access Hotmail or other hosted services?
> Then you'll have to update that browser.

True, although the only vulnerabilities -of any real concern anyway- in
Mozilla products are those involving third-party plugins such as Flash, Java
or Quicktime.

On which subject, one of the crazy things about automatic updates is that
they will install these add-ons (particularly Java) onto computers where they
did not exist before, and where there is no need for them. This may actually
lead to the computer being compromised as a direct result of having been
auto-updated.

 

[Stefan Kanthak]

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote:

> G'day:
>
> "Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message
>
> >> How do you know it's untrusted and HTML without opening the message?
> >
> > Just discard the HTML and let the client display (not interpret!) the
> > text-part only!
>
> So "untrusted" part is kinda redundant, isn't it?

You got it-) The internet is^Whas become a hostile environment, you
better play safer hex there.
Take a look at the default settings even of recent Microsoft products
like Outlook and Outlook Express (for example): HTML-rendering has been
turned off there! I suspect that MSFT must have had reason to do so.

> > * Can you switch to a text-only view in your browser too?
>
> In all absurdity of suggesting product instead of a practice for security,
> let's all use Lynx!

You but missed the point (and me playing devils advocate).

BTW: is "use your browser to access a hosted service to read your mail
as replacement for a local MUA" not changing product for practice too?

Does your hosted service offer a setting "show foreign content as text"?
Can you rely on that setting?
Thats most often stored in a cookie on the client. You change the client,
access the service from another user account on your own PC, or even
from a public PC in an internet cafe, and the setting is gone.

Or, in more detail: almost all hosted services use DHTML and therefore
need J^HECMAScript enabled in the clients browser. Are you really sure
that the hoster has taken all precautions to filter out ECMAScript in
mails viewed with his service? XSS attacks too? IFrames? Plain HTML?

> > If a hosted service ever gets compromised that might be helpful.-)
>
> No. I have, and I'll continue opening HTML pages wherever I like. Avoiding
> advanced features that are available in modern software is no substitute for
> secure computing.

Not as long as the (wrong) use of these advanced features opens security
holes! See above: the internet is hostile. And Joe Average can't tell the
difference between a website that is susceptible to XSS/phishing and one
which is not.

> > * Can you switch your hosted service to display foreign, untrusted
> > content without any embedded malicious code?
>
> You tell me - can I do that in Hotmail?

Don't know, I've never used Hotmail. But see above. Hotmail is just in
the subject.

> > Don't you use a browser to access Hotmail or other hosted services?
> > Then you'll have to update that browser.
>
> I have mentioned one browser that never required updates because there are
> no (known) vulnerabilities in it. I'm also currently use Symbian browser on
> a Nokia microcomputer. Software that doesn't require updates is here for a
> while now. And hosted services tend to be better maintained from security
> perspective because they are bread and butter for those running them.

As above: can Joe Average tell whether the browser he uses on his gadget
is secure? Or just up-to-date with security patches?
Can he visit his online banking website without fear of phishing?

Maybe you and I (and some more people) can tell, but Joe or his kids just
want to have fun on the net. And when their favorite website with (as
either Steve Riley or Jesper Johansson put it) the "naked dancing pigs"
require to enable scripting and plugins/ActiveX they'll most probably do so.

So, in short: using a (properly configured and up-to-date) MUA/NUA to read
mail and news is in general more secure for Joe Average.

Stefan

 

[Dirk]

One thing I've noticed is that Hotmail uses https when I'm logging in but
http when I'm viewing email. Does that mean communication is encrypted only
when I'm logging in but the text of my email is sent in plain text over the
internet? If that's true, then encrypted email using a cert in Outlook
would always be more secure and private than Hotmail.
1)Is that true?
2)How can the signing and encrypting be compromised?

 

[Steve Riley [MSFT]]

Please try to keep these things separate in your mind. You're confusing a
mail _service_ (Hotmail) with a mail _client_ (Outlook).

Hotmail is a web-based email service. To read and compose email, you can use
either the web interface, Windows Live Mail Desktop, or Outlook.

Outlook is a mail client -- a program that you use to read and compose mail.
Outlook can communicate with many services -- Exchange servers, POP3/IMAP4
mail servers, and Hotmail.

You are correct. When logging onto the Hotmail web service, it uses HTTPS
only during the logon, to protect your password from eavesdropping. After
that, Hotmail uses HTTP. This is not so bad, really, because the Internet's
email protocols (SMTP, POP3, IMAP4) are normally unencrypted anyway.

If you're concerned about people eavesdropping on your mail, then yes,
message encryption is one choice. To do this, you will need an S/MIME
certificate from the _recipient_ of your message. Using the public key in
that certificate, your mail client (yes, Outlook supports this) encrypts the
message. Then the recipient uses his private key to decrypt it.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Dirk" <d> wrote in message news:#Vt603j9HHA.4712@TK2MSFTNGP04.phx.gbl...
> One thing I've noticed is that Hotmail uses https when I'm logging in but
> http when I'm viewing email. Does that mean communication is encrypted
> only when I'm logging in but the text of my email is sent in plain text
> over the internet? If that's true, then encrypted email using a cert in
> Outlook would always be more secure and private than Hotmail.
> 1)Is that true?
> 2)How can the signing and encrypting be compromised?
>

 

[S. Pidgorny]

1) True
2) By compromising private key of the massage recipient.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Dirk" <d> wrote in message news:%23Vt603j9HHA.4712@TK2MSFTNGP04.phx.gbl...
> One thing I've noticed is that Hotmail uses https when I'm logging in but
> http when I'm viewing email. Does that mean communication is encrypted
> only when I'm logging in but the text of my email is sent in plain text
> over the internet? If that's true, then encrypted email using a cert in
> Outlook would always be more secure and private than Hotmail.
> 1)Is that true?
> 2)How can the signing and encrypting be compromised?
>