With the ongoing protestes and violent crackdown from governments in the Middle East, compromising online security could have dire repercussions on the wellbeing of internet users in the region. Email security is a priority and HTTPS should be enabled by default. Gmail does that, while Microsoft allows users to choose to activate the option, and Yahoo! Mail does not offer it.
Accessnow created and circulated a much needed step-by-step guide to protect privacy online [1]. This morning a Syrian student in Jordan approached me on twitter and said that he couldn't follow the guide to enable HTTPS for his Hotmail account. I asked him send me a screen shot [2] and proceeded to alert Jillian York [3]of the Berkman Center to the issue.
York, who's also an Advocacy contributor, proceeded to investigate the issue further [4]. Her first suspicion was export controls due to sanctions imposed on Syria, but the user stated he was in Jordan and that his profile info was set to Jordan as well. That ruled out the possiblity of the problem being caused by over-complying with the export controls, so she took a closer look at the issue:
I quickly created a Hotmail account to see if I could replicate the situation; sure enough, when I set my location to the United States, I could turn on HTTPS as a setting, but when I switched to Jordan, I could not. I tested several other Arab countries–Syria, Bahrain, Lebanon, Morocco, Algeria–also no HTTPS. I then tested Guatemala, Israel, and Turkey: all fine. France, German: fine. Iran…no HTTPS.
The screenshot below shows the error message users from Arab countries and Iran get when attempting to activate secure connections (HTTPS) for their free webmail account provided by Microsoft.
[5]
Luckily, a temporary workaround exists for concerned users. All they need to do is change the country in their profile to the US and they would be able to set HTTPS to be used automatically. York also suggests that affected users can also switch to gmail which has the setting enabled by default globally, and she states that Microsoft has been contacted and informed about the problem. Hopefully Microsoft will handle this security risk in a timely manner.