Why is there a “http” in the address bar as a prefix when I log into
Hotmail rather than an “https”? Other email servers’ addresses (Gmail,
Yahoo, etc.) seem to generally have the prefix “httpS” [capitalized for
emphasis by me] (“https://www.google.com…” etc.), yet I noticed that
Hotmail’s reads “http://login.live.com/login…” once I’ve typed in
“www.hotmail.com”. Should I feel less safe logging into my Hotmail
account rather than my Gmail one since there’s no “https”?
It depends on what you’re attempting to protect yourself from, but
in general the answer is: yes. There’s a slightly higher risk if
Hotmail’s not using https.
And unfortunately, it appears that for certain common operations
Windows Live Hotmail cannot use https at all.
First, logging in.
When you login to Windows Live Hotmail you’ll typically see the Windows Live login page sign in form:
Note the “enhanced security” item I’ve highlighted. That’s actually a link. If you click on it, you’ll see the same sign in form, but with this URL displayed in your address bar:
Note that it’s https. In fact, it’s “enhanced” https, indicated by the green bar naming Microsoft Corporation as the owner.
Then things take a disappointing turn.
Once you login you’ll see your address bar return to something like this:
That’s not https. It’s not encrypted.
That means that while your login information has been encrypted and could not be sniffed, the actual contents of your email as you read and send messages is being transmitted in the clear. Are you reading your Hotmail using an open hotspot in an internet cafe? Anyone within range and with the right software could be reading it along with you.
As I said: disappointing.
As far as I can tell, there’s no way Windows Live Hotmail can be coerced to use an https connection for reading.
Contrast that to this option in GMail:
Select that option and no matter how you get to GMail it will always switch to an https connection, encrypting not only your login, but your email as you read and send it.
It’s not a trivial problem for Microsoft to solve, but in my opinion, solve it they must. Hotmail just isn’t as secure as it should be without it.