Microsoft is no exception when it comes to large technology providers committing to encrypting the services its users depend on.
Today, the company announced an update on the progress it has made in engineering those changes, including the news that Outlook.com, its web-based email service, supports TLS encryption inbound and outbound as well as Perfect Forward Secrecy.
“Our goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day,” said Matt Thomlinson, vice president Trustworthy Computing. “This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data.”
Microsoft also announced that its OneDrive cloud-based storage service has enabled Perfect Forward Secrecy. The technology keeps data safe by randomizing private encryption keys used to secure communication; if a key is compromised, it cannot be used to decrypt other messages at a future time.
In the year-plus since the Snowden revelations began and technology companies were questioned about the level of their complicity with government surveillance, firms such as Microsoft, Google, Facebook and Yahoo and have taken public stands about the security of their services.
Developers are being encouraged to use encryption and security technologies such as HTTPS, HSTS and PFS as default starting points in new applications. In December, Microsoft said it would have encryption protecting its services by the end of this year, including supporting HSTS on its public-facing services that exchange data, including email and credentials. Microsoft said it would also roll out STARTTLS for Outlook.com.
HSTS, or HTTPS Strict Transport Protocol, forces sessions sent over HTTP to be sent instead over HTTPS. STARTTLS, meanwhile, allows clients and servers to encrypt messages provided both ends of a conversation support the protocol.
Microsoft’s December promise, meanwhile, is coming to fruition. It promised then to encrypt customer data moving between the user and Microsoft would be encrypted by default and data moving between data centers would too be encrypted. Microsoft has already moved to deprecate weak encryption keys, supporting only a minimum 2048-bit key lengths.
Microsoft chose email as a starting point to concentrate its encryption efforts, bringing in worldwide partners such as Deutsche Telekom, Yandex and Mail.ru to test the viability of its encryption. The additional of Perfect Forward Secrecy to Outlook and OneDrive, for example, puts up another barrier not only for government intelligence agencies, but for criminal hackers as well.
“Forward secrecy uses a different encryption key for every connection, making it more difficult for attackers to decrypt connections,” Thomlinson said, adding that OneDrive customers get PFS whether accessing the service online, though its mobile application or a sync client. “As with Outlook.com’s email transfer, this makes it more difficult for attackers to decrypt connections between their systems and OneDrive.”
Microsoft also announced it has opened its first Microsoft Transparency Center. Located on the Redmond campus, the center enables participating governments with a place to review source code for a number of products and certify the integrity of the source code. Other such centers are in the works Thomlinson said, including one in Brussels, Belgium, announced in January.
“As with most things relating to security, the landscape is ever changing,” he said. “Our work is ongoing and we are continuing to advance on engineering and policy commitments with the goal of increasing protection for your data and increasing transparency in our processes.”