When you visit Outlook, your browser’s URL bar will turn green and a padlock icon next to it. You’re safe from snooping, or so you thought?

When testing Outlook’s servers today, it was discovered that their servers do not support encryption for incoming email. So if you send an email from someone@gmail.com to someone@hotmail.com, the email, according to our results, will go from Google to Outlook without any encryption at all.

Here is how it should work:

Say if you sent an email to someone@hotmail.com, your server would look up hotmail.com in a global directory (DNS) to see what their mail server is, asking for the so called ‘MX Record’. Your server would get the MX Record which points to mx1.hotmail.com and attempt to connect to this server (on port 25). Then this connection would be secured and your email gets delivered.

The only thing different is that mx1.hotmail.com does not provide the ability to secure the connection. Yep, it completely ignores the command.

So, for example, when you send an email from Gmail to a Hotmail address, the email will go through the internet, hypothetically, without, any encryption!

We’re not sure why this is… every other major email service provider should support this service in this day and age. Don’t you think?

——-

Notes:
If you are technically inclined and want to validate our result, here is the test was done:

first, we get the mx entry for hotmail.com
$ dig hotmail.com

Next, have a look to see what services are available for us:

$ nmap mx1.hotmail.com

So now we know that we can only use port 25, lets see if they have TLS:

$ openssl s_client -connect mx1.hotmail.com:25 -starttls smtp

Normally, the above command should print SSL certificate information. It does not do it when we try it.