Though Hotmail is doing a complete makeover, and the simplicity, usability, and style will all be much better in the new version, a feature on the ZDNet security blog reminds us that Hotmail is just now catching up in security features to the product from Brand G.

While delivering what its users want, Google has also been making the use of the service very secure, making it easier to avoid things like scams and phishing that Hotmail users have been putting up with.

Dancho Danchev points out the differences

Microsoft’s revamped Hotmail, set to be rolled out in mid-summer according to the company’s press release, introduces several new security features, among which are full-session SSL, visual indication for trusted email senders, and improved password recovery mechanisms.

Let’s review them, their applicability to today’s cyber threatscape, and compare them to Gmail’s currently available security features.

  • Trusted senders. With the new Hotmail, we help you to visually identify trusted senders in your inbox, particularly banks and other senders most commonly impersonated in phishing scams, by putting safety logos next to those senders who we recognize as legitimate.

  • Full-session SSL – In addition to providing SSL encryption of credentials at login for all accounts, the new Hotmail will soon support the option to maintain SSL encryption between you and Microsoft servers during your entire Hotmail session.
  • Single-use codes – This new security feature is designed to further help protect you by giving you the option to ask Hotmail to SMS to you a one-time temporary password if you’d prefer not to use your regular password when logging into Hotmail on public computers that could potentially harbor key logging malware that could steal your password, such as those sometimes found in internet cafes and airports.
  • Account security information – The new security platform elements we’ve built up around Hotmail now enable you to use your cell phone or other items as proof of account ownership. For example, if you lose your password or, worse, if your account gets compromised, we can now send you an account recapture code via an SMS message or enable you to regain access to your account.

Playing catch up from a security perspective in the free email market segment — sorry Microsoft — offers unique business development opportunities, that if well executed can position the follower as the market (segment) leader, at least for a while.

And although the introduction of safety logos for over 100 banks/financial institutions, is a great idea, since it would help less technically sophisticated Hotmail users spot the fraudulent emails more easily, both, trusted senders (July, 2009), full-session SSL (July, 2008), and SMS-based password recovery, have been available to Gmail users for a while.

In order to fully seize the marketing momentum, market (segment) followers are supposed to set new benchmarks, and do their best to avoid “me-too” product feature catch-up based strategies. Interestingly, Microsoft appears to have achieved it by introducing the SMS-based single sign in codes.

In comparison, Gmail only has a password recovery option via SMS, introduced in June, 2009. Here’s a chronology of the introduced security features at Google’s Gmail over the years:

2004Gmail Begins Signing Email with DomainKeys
2008Gmail, PayPal and Ebay embrace DomainKeys to fight phishing emails
2008Making security easier (choice for always on SSL)
2008Remote sign out and info to help you protect your Gmail account
2009Google Account Recovery via SMS
2009The super-trustworthy, anti-phishing key (visual Trusted Senders confirmation)
2010Default https access for Gmail
2010Security alerts for Gmail

Which are the unique features offered exclusively by only one of the email providers?

Basically, if it wasn’t for Hotmail’s upcoming single-use codes, their whole campaign would have been an embarrassing catch up marathon with Google’s Gmail. Gmail’s security alerts feature, however, still differentiates by emphasizes on the real-time notification for a compromise that’s currently taking place.

Is there a particular security feature that both, Microsoft and Google failed to implement so far? Has the time come for both companies to acknowledge the existence of public key cryptography within their settings interface? What about the availability of disposable/temporary email accounts generation feature?

Moreover, how user-friendly was your experience with both email providers, in cases of an account compromise? With do it yourself account import and export options, is the increased security offered by a particular provider, enough for you to migrate there?

While I see some of this as helpful, and I use both of these services, I don’t rely on the security of e-mail at any time, so I have never been disappointed. I also don’t use either of them as web mail unless I am not on one of my machines. If pressed, I would have to say that I trust Google more than Microsoft to take care of me, but the fact that both are improving can only be good for everyone.

The use of public key crypto and temporary accounts would be very cool, but there are places that allow this already, they are simply harder to find. But this is a case where the more that they want to give, the more I’ll take and thank them for it.


PinkynBrainThat e-mail we sent has never arrived…it’s still somewhere in space. But it is secure.

Opera, the fastest and most secure web browser

≡≡≡≡≡≡≡≡≡≡ Ḟᴵᴺᴵ ≡≡≡≡≡≡≡≡≡≡