Do the latest Microsoft data encryption promises mean much?
Microsoft has announced more encryption services for customers but it’s more ‘papering over the cracks’ than a real effort to protect customer’s data. Microsoft has made some vague changes to protect the transmission of your emails and documents, but nothing to protect that information on their servers.
In a blog posting the company talks about some infrastructure changes:
OneDrive also gets ‘Perfect Forward Secrecy’ (PFS) for communication between computers/devices and Microsoft’s servers,
Finally they announced a ‘Transparency Center’ where some governments can “review source code for our key products, assure themselves of their software integrity, and confirm there are no “back doors.“.
That all sounds great until you scratch the surface of the announcement and realize that Microsoft is trying to make a big deal over relatively little:
- TLS and PFS has been available for some years (we’ve already noted that Gmail is way ahead of Outlook.com on this). Microsoft has merely announced that they have caught up with the common industry practice using available technologies.
- It’s hard to believe that OneDrive links to computers/devices were NOT encrypted until now. but that’s the implication of Microsoft curious boast about OneDrive encryption – that OneDrive communication wasn’t secure until very recently. Implementing TLS should not have been hard since it’s been supported in Windows Server for some time.
- Speaking of TLS encryption … there’s no mention of which TLS version has been implemented. That’s important because the most recent TLS v1.2 is much better than the common TLS 1.0. v1.2 is a European requirement and mandated for US Federal Agencies by 2015.
- No mention of the key length being used. Google switched from 1024 bit length to 2048 bits in 2013. Hopefully these new encrypted links use the better standards and keys.
- Despite the word ‘Perfect’ in the name, ‘Perfect Forward Secrecy’ can be hacked, especially if the hackers have access to the certificates (which Microsoft and, presumably, government agencies do).
- The ‘Transparency Center’ sounds great but since only governments can use this singular version of ‘transparency’ it’s not very comforting.
What Microsoft calls ‘Office 365 Message Encryption‘ is merely a repackaging of existing Information Rights Management feature into a new brand. It requires a high-end Office 365 subscription plus Azure Rights Management for another $2 per user per month. Office 365 Message Encryption suits Microsoft’s wish to entangle customers with their cloud services, but it’s an open email encryption system.
What the latest announcement doesn’t mention is anything that will protect customers from data intrusion by government agencies (with or without a warrant) or by Microsoft itself (which the company has done in the past).
- Microsoft’s commitment to Office beyond Windows
- Microsoft can read your Office documents, legally
- Microsoft reads private email on Hotmail/Outlook.com
- Microsoft and the NSA … a ‘team’ to get more information from us