back to article Microsoft thumbs nose at NSA, hardens crypto for Outlook, OneDrive

Microsoft has flipped the switch to activate stronger encryption on its OneDrive and Outlook.com cloud services as part of a broader effort to make it harder for the NSA and other spying agencies to snoop on its customers' data. Specifically, Outlook.com now supports TLS encryption on all connections to its servers, both …

"makes it harder for eavesdroppers to decrypt communications because it never sends the secret session key in full over the network."

Really the main benefit is that the users private key is not used to encrypt the traffic and a unique key is derived per session. So moving forward, each session needs to be uniquely attacked and decrypted, regardless of if you know the private key or not.

3
1
Silver badge

"So moving forward, each session needs to be uniquely attacked and decrypted, regardless of if you know the private key or not."

Only strengthens email against spies who haven't backdoored the software....

7
2
Boffin

Actually, PFS doesn't involve any user keys, just server keys, at least in the implementations discussed for Microsoft. These connections all rely on servers to have public/private key combinations. User private/public key combinations are optional, depending on the security requirements, though I haven't seen many instances where it's used for anything other than authentication.

0
2

Just Curious... Why the thumb down ?

0
0
Bronze badge

"PFS doesn't involve any user keys, just server keys, at least in the implementations discussed for Microsoft"

PFS involves generating new (temporary) keys and dumping them when the connection is terminated. There's still keys each side, they just won't get you the temp key if they're compromised.

This is all dependant on your stuff not being backdoored day one, which frankly I'm not going to put any trust in without peer review.

3
1
Silver badge

>>Just Curious... Why the thumb down ?

Probably someone took your post as not sufficiently condemning Microsoft. There's some round here who see that as reason to downvote even purely factual posts. (Now lets see who downvotes this post and proves my point!)

Anyway, I think we can thank Edward Snowden for this. Microsoft don't really do this modern faux-friendly faux-free evil, yet. They're just good old-fashioned greed for your money type of evil. It used to be that toadying up to the government got you the juicy contracts. But the landscape has changed and privacy is what lots of the public are demanding (whilst using Facebook, but only Economists believe in the rational market ;). And the public represent more money than the NSA. It is also a slight edge they can exploit over Google as MS still have a business model that isn't primarily about data harvesting. So they can take a hit to advertising revenues if it helps them position themselves ahead of Google.

4
0
Anonymous Coward

"Only strengthens email against spies who haven't backdoored the software...."

So best to avoid Open Source software where they might have had the opportunity to do so then?

0
2
Anonymous Coward

Call me cynical (and technically ignorant) if you will but, when we are talking about the NSA the snooping part of the US Government apparatus, given a large/useful chunk of the world's certificate authorities could be secretly compelled to hand over (or may even have had their root certs stolen) does this really matter? I mean, can the NSA not already MITM most connections setup with such trusted certs? Isn't the major problem these days that the trust is compromised and hence the emails need to be encrypted rather than just the pipe which presumably shields the metadata?

1
0
Bronze badge

"given a large/useful chunk of the world's certificate authorities could be secretly compelled to hand over"

Cert authorities only *attest* (counter-sign) *public* keys. Nobody ever sends a private key to a cert authority. Sure they can generate new ones and usurp your traffic (a flaw that's been discussed very often and there are people testing the certs of large orgs to look out for this) - but nothing about lets say the CIA getting into say Comodo is going to get them *your* private keys. PKI is built like this for a good reason, both foreseeing this very issue and that it wouldn't be safe to send them over the wire anyway.

Also this is what PFS is for - if they capture your traffic, then later break into your server and grab the private keys - it won't allow them to decrypt the old traffic. It will of course allow them to decrypt any new traffic as it goes over the wire.

0
0
Silver badge

So?

How does this protect data from the NSA et al, once it resides on Microsoft servers?

8
3

Re: So?

http://lmgtfy.com/?q=perfect+forward+secrecy

2
3
Silver badge

Re: So?

If they have the keys for the entire set of messages then it's not so perfect

2
0
Silver badge

Re: So?

NSA will have to get a bit of paper rubber stamped and pay MS to provide the data, not just suck up the data for free from one of their taps.

7
2

Re: So?

TLS (Transport Layer Security) - even with PFS - only encrypts the connection that transfers messages from the sender's mail server to the recipient's mail server. It does not address encryption of messages while they are stored on the server. Unless additional measures not discussed in the article are in place (such as S/MIME with appropriate key management), an adversary with access to the mail provider's systems and/or cooperation from the provider can still read people's messages regardless of whether TLS was used to transfer them.

5
0

Re: So?

"pay MS to provide the data, not just suck up the data for free"

BINGO!

This innovation is to 'protect shareholder value in MS intellectual property'.

2
1
Silver badge

Re: So?

>>"NSA will have to get a bit of paper rubber stamped and pay MS to provide the data, not just suck up the data for free from one of their taps."

You do your best to make this sound like it has no impact, but having to go through the court process (even if the courts are very friendly) at least creates a paper trail of who and how much the NSA are spying on and forces them to seek judicial oversight (and political climates DO change).

Furthermore, adding a financial cost to this makes a big difference in that they have to be selective. Look at spam - there's a tonne of it because it doesn't even cost pennies to send tens of thousands. With junkmail there's still more than everybody wants, but they have to at least restrict themselves to cases where they expect to get more return on the actual per-letter investment rather than the trivial cost per email of spam. And so with the NSA they have to actually pick who they want to investigate rather than just engage in massive fishing exercises.

Finally, much like the previous point but for more technical reasons, it means that they have to investigate select groups of people they already exist rather than batch-search through everyone's emails looking for particular word groups or sender-recipient combinations.

As I said, you did your best to trivialize it, but this is a significant thing that I welcome.

4
1
Anonymous Coward

Re: So?

"Unless additional measures not discussed in the article are in place (such as S/MIME with appropriate key management)"

It's already in Office 365, so no doubt on it's way for Outlook.com:

http://blogs.office.com/2014/02/26/smime-encryption-now-in-office-365/

1
0
Bronze badge

Re: So?

they'll still investigate everyone. the government will simply 'preapprove' all requests using some legal slight of hand and then transfer the increase in operational costs to the tax payer.

so you'll still get screwed. you'll just pay a bit more for the privilege now.

0
0
Silver badge

Finding a scapegoat

These people are naive in thinking the USA tech industry industry is crumbling because of the spying and that it might have been " an issue that needed to be addressed but might blow over ".

Nothing happens in a vaccuum. The US tech industry has been losing ground for ages and has been doing so perfectly well without the spies dragging them down. All the spying has done is erode the FUD that was keeping the market going for a bit longer. Net result, the spying has only changed timescales by a few months - a year at the outside. The outcome has not changed.

But big biz leaders never want to admit the rot of their industry. They always want something else to blame. They did it in 2001 and they're doing it now.

Exactly the same thing happened in 2001 with dot.bomb. The US market imposion was largely blames on Sept 11. However the industry was on the skids already. Sept 11 might have accelerated things by a month or three, but the trajectory was already set.

We've seen the upsurge of Huawei etc for a few years now. That they were coming along to eat everyone's lunch was obvious long ago. Microsoft has been rolling about in its own excrement for years.

All of this predates spies, but the spies five them a nice little scapegoat when the share holders get uppity.

9
5

Upvoted you...

...because I agree with you. One inaccuracy is that 911 accelerated dot.bomb. It didn't. I was out of a job six months before that, and I'd clung onto that last job well past the peak of the bust. Tough time for me, so still very familiar with those dates.

2
1
Silver badge

Re: Finding a scapegoat

>>These people are naive in thinking the USA tech industry industry is crumbling because of the spying and that it might have been " an issue that needed to be addressed but might blow over ".

I know for a fact of two large companies that have recently lost out on big contracts explicitly because of inability to reassure against snooping by the US government. Don't just write things because you think contradicting the article will make you sound more informed / insightful. I also personally recommended to a client against Azure in one instance because of US hosting not meeting EU data protection requirements for them. It happens and it's a significant thing. Do you really think Microsoft of all companies would go against the Three Letters if there weren't a monetary incentive for doing so? If you don't trust article writers or posts such as mine, surely you can at least trust in Microsoft's greed?

3
2
Anonymous Coward

Re: Finding a scapegoat

"also personally recommended to a client against Azure in one instance because of US hosting not meeting EU data protection requirements for them"

Why didn't they simply use EU based Azure - which does meet EU data protection requirements? There are 2 European regions to choose from.

0
0
Silver badge

Re: Finding a scapegoat

>>"Why didn't they simply use EU based Azure - which does meet EU data protection requirements? There are 2 European regions to choose from."

At the time there were no such provisions.

0
0
Bronze badge
Pint

SDDK

"Same Day Diffeent Key" This is diffent/harder only that the NSA will have to request the session key as well. Not stronger because of a session key. Yes this is stronger against a OUTSIDE attacker, however the government has the power to sit in the middle. As I would say SDDK.

5
1

Re: SDDK

Indeed, but if you are scared of the government you shouldn't be using such services anyways, eh ?

It does bode well for privacy and common sense generally. It's nice to know that the 1st line support bod at the ISP's aren't sitting sifting through all the emails.

3
1
Silver badge

Re: SDDK

> It's nice to know that the 1st line support bod at the ISP's aren't sitting sifting through all the emails.

No but someone at Microsoft is, especially if they think you might be violating their T&Cs when selling MSFT software

4
2
Gold badge
Gimp

US Company. US Servers. THE PATRIOT Act trumps any of this BS.

I imagine this will fool the PHB types who set policy.

Which is it's purpose.

14
2
Trollface

How Microsoft has fallen

WOW! I'd never thought I'd hear such enduser friendly language from microsoft.

You'd never catch face(mindcontrol)book, or goo(collect everything)gle attempting to massage public opinion by shoring up the pipes(please ignore the back door).

Oh.... Hang on.... DOH! I get it now. NSA isnt paying microsoft for tapping the traffic OUTSIDE the data center!

Mircosoft change...LOL..silly me.

3
6

Making it cost 1000 times more

For NSA to do what they were doing is not without effect. NSA does not have the resources to decrypt everything, provided Google, Microsoft, and their ilk encrypt everything.

5
2
Bronze badge
Facepalm

So as a potential terrorist...

What is to stop me using good old fashioned book codes over the net?

I'm pretty sure bibles and q'rans -for obvious examples, make ideal texts for spies like us to pass messages on in very simple codes without all the encryption buggery.

2
0

Re: So as a potential terrorist...

If you are a terr, please go ahead. I'm sure the NSA and others already have lookup tables for your book codes, but don't let it stop you.

1
1
Bronze badge
Big Brother

Re: So as a potential terrorist...

Exactly. A properly implemented OTP defeats the spies utterly. The spies know this, the terrorists know this. Which makes me wonder why terrorism is even mentioned, hell, they couldn't/didn't stop the Boston Marathon bombers even with some advance knowledge.

The NSA et.al. spying has little to do with the stated purpose of said data collection...

0
0
Gold badge

Thanks for finally adding encryption in flight, Microsoft. Unfortunately, your solution is still not proof against NSLs, and thus not secure.

I'll continue using Sync.com.

4
0

Thumbs nose at NSA?

Is this some kind of a joke, because as everyone with half a brain knows, this is just security theatrics, as far as the NSA/US Government is concerned.

5
2

Re: Thumbs nose at NSA?

This forces the NSA and other spy agencies to abide by the law and not just hoover up everything without any warrants and without paying Microsoft anything for services rendered - especially that last part...

4
2
Silver badge

I know we don't allow lawyers in the house, but here's an interesting question...

If Microsoft (or another provider) were asked for data and they hand over the encrypted files, have they complied with the request even though the NSA et al are unlikely to be able to read it?

0
0

Wait, didn't Microsoft make it so that it was much easier for the NSA spy on users Onedrive, email etc. Even when MS changed their encryption when moving from Hotmail they let the NSA know and were able to provide them the knowledge that is was easier to get round the encryption. Unless they have completely changed their stance on this I find this hard to believe.

1
1
Silver badge
FAIL

What USA-based computer system is safe when the PATRIOT Act is in force?

With the lawful ability to get any data from any US computer, who needs to tap cables?

6
0

clerk

"Our goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day," Thomlinson wrote. "This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data." Microsoft Corporation statement

Microsoft is a (the first, since 2007) NSA Prism provider. In respect of the NSA Prism program, you can figure out in general how it works by looking at the slides released by The Guardian newspaper and Le Monde, from the material Edward Snowden provided to them.

You can believe this, if you can believe the authenticity of the US Top Secret documents that have been provided by European journalists, In fact, it is extremely hard to believe anything that is in variance with these documents, certainly not a statement from Microsoft Corporation.

1. Every "Prism provider" - NSA designation (P1-Microsoft, P2-Yahoo, P3-Google, P4-Facebook, P5-PalTalk, P6-YouTube [now Google], P7-Skype [now MS], P8-AOL, PA-Apple - maybe others we don't know about), has, directly connected to their company servers and databases, in one or more private locations on their company premises, a "Data Intercept Technology Unit - DITU", property of the US government, controlled and operated by FBI personnel.

2. Each FBI DITU has a direct connection with the NSA, and CIA, and FBI. I intepret this to mean that there is a direct connection to the Prism Provider's servers, not an Internet connection. An Ethernet connection.

3. There are two types of situations at the DITU.

a) "surveillance" the individual Prism provider client is "under surveillance". This means that every action in which they participate, login, e-mail, voice, videoconference, file transfer, image transfer, etc. is automatically provided to the DITU and transferred to NSA (and, optionally, "dual routing", to the CIA and/or FBI in real time.

I think it takes a FISA court order to put someone under surveillance, but I don't know that. Seems to me the statistics about government requests that some of the Prism providers supply are about "surveillance"

.

b) "Stored Comms" the NSA analyst sends a request to "poke around" in the information (about anyone "Target") that the Prism provider has in their stored database with an association to the targeted client. (e-mails, web pages, uploads, voice, videos, "friends", etc.). In routing the NSA request to the DITU for "Stored Comms", the NSA request is first filtered through an FBI "Electronic Communications Surveillance Unit - ECSU", which filters out the requests pertaining to individuals (presumably only those not under "surveilllance") known by the FBI to be "US Persons", before the request is sent to the DITU. This is done, presumably, to adhere to the 4th Amendment, though I don't think it does very well. For instance, If I "friend" or send an e-mail to a targeted non -"US person", the NSA would get that...

You can look at the slides and see if you agree with my thoughts about this. Incidentally, the Wikipedia site says these slides were released by Edward Snowden, though, of course, Snowden has not released them, to my knowledge, at least.

So, some Prism providers' statements, to the effect that they provide no information directly to the NSA are technically correct, though such statements seem to me to be deliberately misleading.

0
0

TLS isn't end-to-end encryption for email, everything is decrypted on each server, it just encrypts the transport layer (if it can). You'd want to use something like PGP for end to end encryption for email.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums