Microsoft has said its new policy of requiring users to accept third party cookies to log out of Hotmail improves security. We reported the change, which was applied earlier this month, yesterday. Some readers who contacted El Reg said it raises the risk that accounts will be compromised on public machines, while others who do …
The Microsoft Problem
"We write our cookies to multiple domains to give users a good experience with single sign-on,"
And that is the best explanation of the microsoft problem that you will ever see. Nearly all of their security problems stem from making things easy for users rather than making them secure.
I don't want single sign on across domains, I want it to be secure. Ideally I'd like to have different credentials on different domains. But I know there are plenty of fucktards out there who use the same credentials on every site they visit because it's too hard for the poor dears to remember more than one set of credentials. They never change the password and then get all upset when somebody manages to hack into several of their accounts.
can't be bothered reading http://msdn.microsoft.com/en-us/library/bb676640.aspx
Can they just let us know which cookie we need to unblock.
I may be in the minority, but I much prefer to have an individual sign-on for each on-line account. That way I know what I'm signed into. Not that I use any MS services anyway, but now I've got an even better reason to avoid them.
"Users... must shut down their browsers to log out."
When was that not the case? I've always closed my browser sessions before switching to other websites, especially if I was just doing web banking.
Hell, I sandbox FF before doing banking and destroy the sandbox before going to other WWW sites.
It's just good practice.
Even from Microsoft this stretches the bounds of credibility
If third party cookies are not a security risk then why does Microsoft Internet Explorer (and every other mainstream browser) not allow them by default?
Their stated reason for using such cookies amounts to "we don't know how to, or can't be bothered writing a web-based single sign-on solution".
I think the title of my comment pretty much sums up my reaction to this. Microsoft really very badly needs a reality check and start putting user priorities first.
Nothing to do with a "good experience"
I've heard of this company...
... don't they make one of those ludicrous expensive-but-yet-not-fit-for-purpose operating systems? I didn't realize they'd heard of the 'internets'.
and now a nice little iframe in my signature to send it somewhere :)
People still accept them?
I always set IE and Firefox to reject 3rd party cookies. They serve no useful purpose at all (to the user) and I've only found 1 web site ever that broke because of these settings.
By the way, if you've installed IE8 you'll find that Microsoft's marketing server cookie from atdmt.com gets set automatically by the operating system at boot time!!
I have that domain blocked at the router and it still gets set.
>> "We are actually removing cookies in this scenario, but it's interpreted by browsers as using third party cookies."
This translates to "we are actually removing cookies in this scenario, but our braindead applications are too stupid to notice when a browser does not have the third-party cookies to begin with, so they interpret it as an error, which is then sent to the browser."
Advertise on our sites because we make people except your cookies.
people still use hotmail?
Flush with information!
Standard stuff. Different aliases and p/w's for my umpteen accounts. I browse with everything and it's ne'er-do-well uncle disabled and don't turn them on unless it's necessary, which isn't that often, really. PrefBar has a nice "Clear All" button and SeaMonkey (and, presumably, FF) can be, and is, set to clean the litterbox on exit. Don't forget to flush your DNS cache, though, and nuke your Flash cookies. I have a little batch file called "AutoClean" that automates takes ten-odd seconds to run after every session. As a former original Hotmail user who dumped them thirty or so seconds after the MS takeover, I have no sympathy for any of their users. GMail works well enough and can be set up as a secondary (or tertiary or whatever you require) pop account in your email client.
Hotmail is redundant hotmail is redundant hotmail is redundant
Hotmail is redundant (oh wait, I said that already)
Logging in to read email through a web browser is annoying enough. Now Microsoft wants people to break with tradition, and reconfigure their browsers to accept 3rd party cookies.
The solution I'll be recommending to my friends, family and clients is to switch them to gmail, their own ISP's email, or some other free service.
Microsoft is becoming redundant in this world of choice.
Re : I've heard of this company..
(I'm a dog - and I eat a certain operating system every evening)
Yep, solid redmondian injuneering
"[It also] helps protect user security [...]. If a cookie in one domain is compromised, it means that user assets in another domain won't be compromised."
Minor detail: The auth info comes from the same credentials, so if Ernie Adversary finds one, he finds them all. Do I dare ask whether the auth cookies will be actually different rather than the same for each 3rd party domain? Given their track record, I think you know the answer already.
Like the "if you don't let us spam you with compromising cookies we'll refuse to let you log out." detail. That took some creative skullduggery.
Safari top sites
Ahhh.. this explains why a little image of my girlfriend's logged-in Hotmail inbox now appears in my Safari top sites.
One would have thought a failsafe logout would have made more sense. Rather than: "Something went wrong with the logout, so we've left you logged in.. kthxbai.", maybe it should log out of Hotmail first, and then attempt to log out of the other services. Or maybe they thought that a technical error message will make people more likely to run back to Internet Explorer? Or maybe they just didn't think?
I'm don't know if closing the browser window as instructed will actually help because on Mac OS the browser will still be running until it's explicitly quit..
people still use it?
Is Microsoft *that* disconnected from reality?
...So disconnected that they don't realize that not only users, but browsers-by-default view third-party cookies like someone sneezing H1N1 virus around?
Doesn't anyone at MS keep on eye on what competing browsers are doing these days? Or is the use of Firefox etc forbidden in Redmond?
Of course, MS's failings in this instance are merely the tip of the iceberg. A surprising number of websites demand you allow cookies even to browse, thanks to bright ideas like using cookies to keep track of scrolling through user comments. (Hello, www.cbc.ca!) Others, if cookies are enabled, fire a surprisingly large number of cookies at your browser for all sorts of strange domains you've never heard of. Haven't the designers of these brain-dead systems heard that the internet is a hostile environment where unknown domains are viewed with extreme suspicion?
However, a demand that one enable cookies is usually indicative of an inferior website anyway; it's like a popup message saying "don't waste your time here."
Then there's the wonderful message "Please enable cookies in your browser" which invariably tells you how to enable cookies globally, instead of for selected domains only. I suspect this is a holdover from some version of IE that doesn't allow selective dis- and enablement of cookies, never mind that this capability hit the streets long ago.
Memo to all website designers: make sure your site operates correctly with all cookies disabled. Yes, even if someone is ordering goodies and needs to use your shopping system. It can be done; your inability to figure out how is a sign of your own incompetence or laziness.
Just a Lack of Respect
Microsoft has no business making decisions for me concerning where or how I login to any given site; but that's their culture. And that's one reason I so strongly resist the use of ActiveX controls since it's their control and not mine. I stopped using the MS update site and began using Windows Updates Downloader and so far it works well. Updates can, and have been, downloaded individually. Gotta have them for nLite slipstreaming so may as well just install them manually. And since I use an alternate browser for general surfing, my ActiveX usage approaches zero.
Microsoft, in doing this. is just following along and contributing to the dumbing down of the world's population. I don't want some things to be easy, I want them to be hard and complex and force me to think before I can take a given action in that particular arena. And in the arena of internet security, I want to login to each site individually. Unfortunately, that limits me in certain areas. But that limitation is self imposed, ergo, I don't use Hotmail. Simple.
D'ahhh, I don't need no goddamn' "experience"...
...I just want to get my mail*, read the news, and find out what I need to know.
Any of these bozos blabbing on about my "user experience" is just blowing smoke up my ass.
*...but I use T'Bird for that, anyway.
@ Flush with information!
Hang on, hang on, I think I must have missed something.
Let me get this straight:
You left Hotmail because MS came in, you flush everything that moves with a batchfile, including DNS cache and Flash cookies. So, reasonably thorough job ..
.. and you use Gmail.
Hihi. Hahaha. HAAHAHAHAHAHAAAAHAHA. HOHOHAHAHAAAAHahaha. Hahahahaaa. HihihahahaHAAhaha. Hihi.
Sory, hihi, hahaha, that was epically funny, that haha, hihi, appears to prove you, hihi never actually read their Terms of Service, hahaha. See point 1.2 ("this overrides any other claptrap our marketeers put on the site") and point 11 ("we can copy your data and mess around with it at will - thanks for donating it"). Even the privacy statement is a hoot: "You're totally safe! All our reading of everything you do on/with our service is scanned by software, not humans. But we write that software, but please forget that - we shouldn't have mentioned that. Did we mention your privacy is safe?"
The assertion that it's somehow more safe than Hotmail lacks proof unless you believe everything everyone says like "don't be evil". You have already given permission for them to do whatever pleases them with your data - even change it and then still attribute it to you. Hihihi hahaha. Thanks for the laugh, now go and read it.
@RW 13th November 2009 16:31 GMT
RW asks: "Haven't the designers of these brain-dead systems heard that the internet is a hostile environment where unknown domains are viewed with extreme suspicion?"
If the blizzard of requests from unknown domains isn't bad enough, it's the requests from dotted-quad numeric IP addresses. There's a fistful of sites out there that I come across which trigger announcements from Little Snitch that "XXX.XX.XX.XXX is requesting access on Port XX"; these requests, obviously, get an immediate "Deny Until Quit".
I don't know about the rest of you, but when I'm browsing, requests for access from numeric IP addresses are shot on sight.
Cookies on which siites?
Does anyone know on which sites they are setting cookies? I only want to be signed in to hotmail, not to a bunch of other sites I never need to log in to.
Required to log OUT but not IN?
OK, maybe I am missing something obvious here, but how the hell does accepting a cookie to log OUT of a web page increase security????
just plain stupid
Guess that's another email account to delete.
MS = Dogterd cornflakes.
"give users a good experience with single sign-on, so they can be authenticated to multiple sites (e.g. MSN, Xbox Live, Windows Live, Bing)"
Fuck the MS "user experience"....... I left and dumped Hotmail, Ohhhhhh Ummmmmmm like 8 years ago....
Everyone else had 5 meg attachments, and MS had 2... or was that the size of the email box?
Don't know, Don't Care, Don't Remember...... and Don't use.
Toooo many stupid "corporate moron" bullshit trips......
MSN = Marketing,
Hotmail = Marketing,
ALL infested by Malware and Mind Fuck impositions......
People still use hotmail? By all that might be holy, WHY?
Tristan Young said: "The solution I'll be recommending to my friends, family and clients is to switch them to gmail"
The words "frying pan" and "fire" spring, unbidden, to mind.
EL Vark said: "I have no sympathy for any of their users. GMail works well enough "
In response to this particular comment, I would like to quote a notably apt response from earlier in this thread ........
"Hahaha. HAAHAHAHAHAHAAAAHAHA. HOHOHAHAHAAAAHahaha"
That is all.
There I was ...
... wandering around the Internet with a (MICR)o(SOFT) tattoo on my ass. No wonder I can't get any GeekGirlz to share Java, let alone unzip my package.
@Anonymous Coward Posted Friday 13th November 2009 21:09 GMT
GMail is one of the accounts I use. All personal and private correspondence is handled through my primary ISP account. The only information GMail has about me is my IP#, which doesn't particularly bother me. El Reg have it, too, after all. I suggest GMail because it's relatively fast, reliable, and configurable. But, as I say, for anything remotely private or "secure", I have other means. I suggest that it works, too. Eight years with the same account and no spam, yet. Like, zero. Eight years. Are you satisfied or do you have anything else smart to say?
I use Hotmail as my signup spam account when a site asks for it and I need to "authenticate" to use said site. Works pretty good for that. Anything else I dont bother with Hotmail.
All your data are belong to MS
Their Vista code(still in Win7) doesn't collect enough user data? They still need yet some more?
I don't use MS sites, mail or browser. I gave up on hotmail, live etc a few years ago after it just became far too complicated, involved and time consuming to set up a simple throwaway account needed for something trivial. MS looks very much like an evil empire out to rape your data, but I seriously doubt they actually have the competence to achieve anything close to that - they have enough trouble making their sites look better than something a three year old would knock up as a doodle on Dreamweaver.
I'd echo the first AC (The Microsoft Problem) - the easier they try to make things, the harder and more insecure they actually become.
I use hotmail
but not for anything private.
I actually tried to use their help system earlier this week to report my account getting hacked (xss attack that happened after they brought in this new third party cookie system), but I couldn't sign in (it never logged me in, just started a circular redirection).
I work on Single Sign On (and Off) software, and Microsoft seriously don't have a clue. They need to go out an buy a real professional standards based (and I don't mean cardspace) SSO solution instead of thinking they know more about security than the real experts.
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16
- Analysis Microsoft's licence riddles give Linux and pals a free ride to virtual domination
- I KNOW how to SAVE Microsoft. Give Windows 8 away for FREE – analyst