More Microsoft encryption promises

Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

Do the latest Microsoft data encryption promises mean much?

Microsoft has announced more encryption services for customers but it’s more ‘papering over the cracks’ than a real effort to protect customer’s data. Microsoft has made some vague changes to protect the transmission of your emails and documents, but nothing to protect that information on their servers.

In a blog posting the company talks about some infrastructure changes: email to/from other email hosts is secured with TLS encryption and ‘Perfect Forward Secrecy‘ when possible. Google made similar changes to Gmail almost three years ago.

OneDrive also gets ‘Perfect Forward Secrecy’ (PFS) for communication between computers/devices and Microsoft’s servers,

Finally they announced a ‘Transparency Center’ where some governments can “review source code for our key products, assure themselves of their software integrity, and confirm there are no “back doors.“.

That all sounds great until you scratch the surface of the announcement and realize that Microsoft is trying to make a big deal over relatively little:

  • TLS and PFS has been available for some years (we’ve already noted that Gmail is way ahead of on this). Microsoft has merely announced that they have caught up with the common industry practice using available technologies.
  • It’s hard to believe that OneDrive links to computers/devices were NOT encrypted until now. but that’s the implication of Microsoft curious boast about OneDrive encryption – that OneDrive communication wasn’t secure until very recently. Implementing TLS should not have been hard since it’s been supported in Windows Server for some time.
  • Speaking of TLS encryption … there’s no mention of which TLS version has been implemented. That’s important because the most recent TLS v1.2 is much better than the common TLS 1.0. v1.2 is a European requirement and mandated for US Federal Agencies by 2015.
  • No mention of the key length being used. Google switched from 1024 bit length to 2048 bits in 2013. Hopefully these new encrypted links use the better standards and keys.
  • Despite the word ‘Perfect’ in the name, ‘Perfect Forward Secrecy’ can be hacked, especially if the hackers have access to the certificates (which Microsoft and, presumably, government agencies do).
  • The ‘Transparency Center’ sounds great but since only governments can use this singular version of ‘transparency’ it’s not very comforting.

What Microsoft calls ‘Office 365 Message Encryption‘ is merely a repackaging of existing Information Rights Management feature into a new brand. It requires a high-end Office 365 subscription plus Azure Rights Management for another $2 per user per month. Office 365 Message Encryption suits Microsoft’s wish to entangle customers with their cloud services, but it’s an open email encryption system.

What the latest announcement doesn’t mention is anything that will protect customers from data intrusion by government agencies (with or without a warrant) or by Microsoft itself (which the company has done in the past).

Latest news & secrets of Microsoft Office

Microsoft Office experts give you tips and help for Word, Excel, PowerPoint and Outlook.

Give it a try. You can unsubscribe at any time.  Office Watch has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy
Invalid email address