By now you should all have the latest Hotmail update announced back in September 2010. As we mentioned last week, unfortunately the long-awaited full-session SSL (or HTTPS) feature did not make the cut in this update. We know that this feature will be coming quite soon – and we’ve been seeing this option in some of the internal testing sites:
From what we gather, it appears that there will be two options Microsoft will offer for users to enable full-session SSL during their Hotmail sessions: an automatic “always on” option, and a temporary ad-hoc option. You may wonder why have two options? Well it appears that there are some caveats with the automatic “always on” option, as shown in the screenshot below:
If you enable the option shown above for full-session SSL to be always on, it will cause errors in Windows Live Mail, Outlook Hotmail Connector, as well as Windows Live for Windows Mobile and Nokia phones. As such, if you’re using any of these clients, it is recommended that you use the ad-hoc option – simply type “https” in front of the web address every time you require full-session SSL to be enabled.
Based on this, the intention for each of the two options is quite clear:
- Use HTTPS automatically only if you frequently use public computers or unsecured wireless connections, and you only use the web-based version of Hotmail.
- Don’t use HTTPS automatically if you use Windows Live Mail, Outlook Hotmail Connector, or Windows Live for Windows Mobile/Nokia as your main client to receive your re-mails. When browsing the web-based version of Hotmail, simply add “https” in front of the web address (i.e. https://mail.live.com) to use full-session SSL. However, Windows Live will not turn this on automatically if you’ve mistakenly typed in “http” instead of “https”.
While Windows Live for Windows Mobile/Nokia was mentioned, we’re unsure whether the new Windows Phone 7, or Exchange ActiveSync users will be affected by turning on this option. We’ll get more details closer to release, so stay tuned! In the mean time, let us know what you think about this implementation. What is your intended use of full-session SSL? Which category do you fall in? And how will this affect how you intend to use this feature? Let us know in the comments below!