Enhanced security WLM 12.x (SSL-secured).

[Indicium]

Currently, I am using Windows Live Mail 12.0 (desktop) running Windows XP SP3.

I have the following questions:

1) Log in: is a secured connection (enhanced security) using SSL established
between the server and the desktop?

2) Synchronise (the mail): can I establish a secured connection using SSL
between the server and the desktop (e.g. by changing
HTTP://mail.services.live.com/DeltaSync_v1.0.0/sync.aspx (default) to
HTTPS://mail.services.live.com/DeltaSync_v1.0.0/sync.aspx)?

I have a Windows Live ID (Hotmail.com/MSN.com/Live.com, etc.).

I am looking forward to any advice on this matter.

Thanking you in advance.

Kind regards.

 

[...winston]

No....
SSL is not a configurable option for a free Hotmail account when using the DeltaSync protocol.


A Hotmail Plus account provides the ability to use Pop3/Smtp access using SSL(for both incoming/outgoing servers) and outgoing
authentication(username/pw). A Hotmail Plus account is fee based(currently $20/yr U.S). Hotmail accounts using the pop3/smtp
servers(live.com) do not sync folders in WLM(like other pop3 accounts, they pull down the mail from the server and store it
locally).

 

[Indicium]

Thank you for your comment. However, regarding the synchronisation I am not
sure whether it is right. I changed
http://mail.services.live.com/DeltaSync_v1.0.0/sync.aspx (default) to
httpS://mail.services.live.com/DeltaSync_v1.0.0/sync.aspx (i.e. SSL) and
everything worked well. The mail was pulled down from the server and stored
on the desktop. I assume, that the SSL-settings were used.

Secondly, is it not strange that the WLM log in/log on is not SSL-secured.
When I log in to Windows Live Hotmail (not using WLM) I always use the
enhanced security. Without SSL passwords can easily be intercepted.

Kind regards.

 

[...winston]

The DeltaSync server is an http protocol used by the Windows Live Mail(WLM) email client and the Outlook Connector beta client(in
Outlook) for Hotmail accounts. In an email client SSL/TLS are options in pop3(only available for use in a Hotmail Plus account).
WLM uses the DeltaSync server(no configurable options for SSL) for any Hotmail account setup unless that account is capable(Hotmail
Plus) and configured to use Pop3/Smtp and the required SSL settings.

Using a browser (e.g. IE) to logon is entirely different than using WLM.

Https and SSL are not interchangeable terms.
<qp>
Secure HyperText Transfer Protocol (HTTPS) is for all practical purposes HTTP. The chief distinction is that it uses TCP Port 443
by default, so HTTP and HTTPS are two separate communications. HTTPS works in conjunction with another protocol, Secure Sockets
Layer (SSL), to transport data safely. Remember, HTTP and HTTPS don’t care how the data gets to its destination. In contrast, SSL
doesn’t care what the data looks like. People often use the terms HTTPS and SSL interchangeably, but this isn’t accurate. HTTPS is
secure because it uses SSL to move data.
</qp>


Try switching your server to DeltaSync_v2.0.0

If your mail was stored on the desktop, you have an entirely different problem.

 

[Indicium]

Thank you for the comment. I understood, that https is not a separate
protocol. Https refers to the combination of a normal HTTP interaction over
an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS)
connection.

I changed HTTP://mail.services.live.com/DeltaSync_v1.0.0/sync.aspx (default)
to
HTTPS://mail.services.live.com/DeltaSync_v2.0.0/sync.aspx (under "Accounts"

"Preferences (in Dutch: "Eigenschappen")". I was able to synchronise all

the e-mail with the free (!) Windows Live Hotmail-account. Everything worked
fine (so far)!

I understood, that using a browser to log on is different than using WLM.

Question: When I login to WLM (just before the green/blue splash screen of
Windows Live Mail), is a connection established between the PC and the
server? If so, is that connection secure?
Or is the Windows Live ID (and the password) stored encrypted on and checked
with that information on the PC?

Kind regards.

 

[Ildhund]

Install FiddlerTool and you can see for yourself what traffic
between your client and Windows Live is encrypted. Read about it
here:
http://msdn.microsoft.com/en-us/library/bb250446.aspx

 

[Indicium]

Thank you for the advice. I have used Fiddler 2.1.

1) The logon to WLM-data (just before the Windows Live Mail splash screen)
were:

CONNECT login.live.com:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR
1.1.XXXX; .NET CLR 2.0.XXXXX; IDCRL 4.2XX.XXX.X; IDCRL-cfg 6.0.XXXXX.X; App
wlmail.exe, 12.0.1606.1023, {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX})
Host: login.live.com:443
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache

The data sent represents an SSLv2-compatible ClientHello handshake. For
your convenience, the data is extracted etc.

2) Login for Synchronization-data were the same (However, the data sent
represents an SSLv3-compatible ClientHello handshake).

3) Synchronisation-data (in spite of the fact that I changed
HTTP://mail.services.live.com/DeltaSync_v2.0.0/sync.aspx [default] to
HTTPS://mail.services.live.com/DeltaSync_v2.0.0/sync.aspx):

POST /DeltaSync_v2.0.0/Settings.aspx?t=XXX(...)XXXp= HTTP/1.1
Accept: text/*
Content-Type: text/xml
User-Agent: WindowsLiveMail/1.0
Host: mail.services.live.com
Content-Length: 363
Connection: Keep-Alive
Pragma: no-cache

POST /DeltaSync_v2.0.0/Settings.aspx?t=XXX(...)XXXp= HTTP/1.1
Accept: text/*
Content-Type: text/xml
User-Agent: WindowsLiveMail/1.0
Host: XXXXXXX.XXXXXX.mail.services.live.com
Content-Length: 363
Connection: Keep-Alive
Pragma: no-cache


Kind regards.