Since I know a few people at Microsoft on the Hotmail team, I’m hoping one of them will read this article and fix the problem.
In short, Microsoft and Hotmail are helping internet users get phished due to Hotmail’s poor security practices.
There is a very nice summary of phishing techniques written up here. One of the major problems they emphasize is how many existing and reputable sites condition users to ignore security. Security is a tough enough problem to begin with, and the UI in our browsers is clearly deficient. But on top of that, we’ve got companies like Microsoft not even practicing what they preach, and conditioning users to ignore security warnings.
My example today comes from Hotmail. I’ve been seeing this problem for several months now, and I’m getting sick of it. When you go to the hotmail site and try to login, you’ll be presented with the security box (click it to enlarge), indicating to the user that the certificate is invalid. Unless you are a 100%-pure geek like me, you probably don’t know why it is invalid, or even what it really means. You know, that in this case, you’ll probably get to read your email if you click OK. So you ignore the problem. WARNING – you could have just been phished. And, when you go to the next site that presents that warning, what will you do?
This problem is very fixable. Hotmail is in the process of changing the product name from hotmail to live mail, and they are redirecting in a way which exposes this problem. This is really just laziness – it is a simple problem to fix with matching your domain name and your certificates.
When Microsoft won’t even configure their websites correctly, how can we expect the smaller and more ignorant companies to do so? You might as well take all the dialog boxes in Internet Explorer and replace them with this (credit to University of Aukland for the image):
