That's almost a list of the countries that US has present embargoes with – close enough anyway to make me think it's not a coincidence.
Perhaps they're using strong cryptography and those are the nations which are not approved to export crypto to (and hence, perhaps not supported in local versions of IE)?
Still, why would changing one's country make HTTPS available again?
Despite EFF's headline, it doesn't sound like this made HTTPS unavailable, but rather the "always-use-HTTPS" setting.
Why those countries?
Here's a guess: it was a localization issue.
I bet changing your country changes your default language. And I also bet that the availability of localized strings (i.e. "Is string 8230 available in language X?") affects what options are shown to the user. After all, if a descriptive string isn't available in the user's current language, how do you show them the option?
So what exactly happened? I don't know. Maybe they whacked some part of a localization table. Or rolled back to a previous localization table. Or mangled mappings from "language" to "current localization table". Software is complex.
All in all, it really makes them look bad, even if there's an innocent explanation.
The timing certainly invites theories of maliciousness.
While that seems like a plausible explanation, I have a hard time understanding what changed to trigger it. I mean, surely they had it translated beforehand, so what mangled things to make it believe there was no translation?
Also, weirdly enough, the error that got shown was in English. Not that it proves anything, but it makes it seem like the language settings were set to English, in spite of the location.
So, yeah, I'm going to be very curious about the explanation of this one. For the record, I do think that it could be innocent, but this kind of thing really invites people to think the worst.
Still, why would changing one's country make HTTPS available again?
Could also be to do with geographical regions being on different infrastructure, perhaps with slightly different versions of the code deployed to them. Maybe some broken logic in a proxy or something. All it could take is a couple of bits flipped.
There are many, many possible reasons for glitches like this in a system this large.
Libya is a glaring omission, and there's a war there. There are also countries being blocked that are not on the crypto embargo list. Regardless, a response from Microsoft would be appropriate here.
Isn't the timing a little bit suspicious for many countries on the list? Is Microsoft being pressed by the US government about allowing citizens of those countries to use HTTPS (is allowing HTTPS exporting crypto?)? Are they being pressured not to drop HTTPS for Libyans?
Looking at the list, I bet they included Congo, Nigeria, etc. to hide the fact that most of the countries in that list are currently in some state of turmoil. It would have looked really ugly if they had done it just for those countries; so they threw in the Congolese and Nigerians too.
MSFT has 90,000 employees; surely some of them can speak up about this, and how it jeopardizes the people in those countries who are struggling for freedom?
why would the fact that the countries are in turmoil cause MS to remove HTTPS for hotmail? Do you think that MS has links to the governments of those countries (and is somehow trying to make it easier for the local governments to crack down on dissidents by tapping their email communications)?
I hope you don't take offense, but: I think you're being extremely naive.
Here's how the logic works:
MSFT does business in these countries.
These countries have a sudden desire to monitor some citizens' communications (which include Hotmail accounts). HTTPS prevents this monitoring, so these countries lean on MSFT. Ergo, MSFT shuts down HTTPS access to Hotmail.
For a lot of these regimes, it's a matter of survival to crush dissent. MSFT just made that a little bit easier.
I hope you don't take offense, but: I think your argument sounds like a conspiracy fantasy.
Let's say there are two options to consider: 1. There is a localization bug that affects the always-https setting. 2. Microsoft wants to do business with those countries and purposefully created a defect in always-https.
The first case is very plausible (to me at least). Defects happen, some are more visible than others.
The second case is less plausible to me. The current pattern of governments is to request by local-law the ability to monitor/control communications without the citizen knowing. An example similar to this hypothetical that is often in the news is countries that request a Blackberry messaging server in-country.
Q: Why would Microsoft collude with these regimes to crush dissent in such an obviously noticed and easily defeated way?
A: Because their evil regime assistance unit is incompetent.
Q: Why would you choose that over the more simple first case of a localization bug?
I can't tell if you're speaking ironically or not, but just in case you aren't, the answer is clearly "yes". What non-political reason could Microsoft have to select just those specific countries?
> Do you think that MS has links to the governments
Governments buy truckloads of licenses and get to determine how much tax you pay. I'd say it would be completely unlike Microsoft not to have them. Their sales force is not the kind of people who would leave money on the table.
I've seen how government sales are made. There is a lot in common with sausages.
I don't think I buy the conspiracy theories being presented on this thread. What, Microsoft was bullied by the government of Myanmar? Even if these countries said to Microsoft "turn off HTTPS or we're blocking Hotmail", I think they would have opted for the latter. And Google is still serving GMail over SSL to these countries, right?
My guess: These are all countries that I would guess have pretty high latency from Microsoft's servers. The SSL handshake requires several roundtrips, as I understand it, which means that high latency would hurt performance significantly.
Misleading headline. HTTPS was only shut off if you a) set your location manually, and b) tried to enable a (relatively new) feature to force your account to always connect with HTTPS. It sounds like someone really just stumbled across a bug...and, oh by the way, it's been fixed.
This doesn't really make me feel a lot better. I'm glad they backtracked, but doing so quietly once they got caught does not inspire much faith in their passion to make technology that makes the world a better place.
A few days after the iranian goverment and comodo incidence, hotmail removes its https option for iranians.
I dont know what the reason is. But its just unacceptable.
Hotmail knows Iranian goverment is after sniffing users data. Iranian cracker tried issuing a certificate for Hotmail. Now they remove https option?
Is it just me, or is there a strong correlation between decisions that seem bureaucratic and politically motivated, and are completely ineffective at achieving their purpose (at least for the technical users)?
(I have the recent India vs. .xxx news in mind as well.)
Unfortunately, a lot of users aren't very technical. That's why relatively inefficient blockages (Such as removing a site from the DNS record) are often used. They work for the majority and that is good enough.
Perhaps they're using strong cryptography and those are the nations which are not approved to export crypto to (and hence, perhaps not supported in local versions of IE)?
http://en.wikipedia.org/wiki/United_States_embargoes
http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_U...