Msg#: 4628027 posted 11:00 am on Dec 5, 2013 (gmt 0)
Microsoft is alarmed over the allegations of governments circumventing security and says it is taking further steps to expand encryption.
In light of these allegations, we’ve decided to take immediate and coordinated action in three areas:
· We are expanding encryption across our services. · We are reinforcing legal protections for our customers’ data. · We are enhancing the transparency of our software code, making it easier for customers to reassure themselves that our products do not contain back doors.Microsoft Steps Up Data Encyption [blogs.technet.com]
Customer content moving between our customers and Microsoft will be encrypted by default.
Although this is a significant engineering effort given the large number of services we offer and the hundreds of millions of customers we serve, we’re committed to moving quickly. In fact, many of our services already benefit from strong encryption in all or part of the lifecycle. For example, Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers. In other areas we’re accelerating plans to provide encryption.
Msg#: 4628027 posted 12:17 am on Dec 6, 2013 (gmt 0)
Funny that they state
For example, Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft,
as it contradicts common knowledge and various reports that 365, outlook.com etc. refuse to use STARTTLS (and hence email in SMTP is going to them unencrypted.
If the email user A sends off securely to let's say Google's mail servers, and Google has to drop down to unencrypted to get it to Microsoft's servers , it doen't matter anymore if the protocols using between MSFT and the recipient are encrypted or not, the likes of the NSA will already have what they wanted: unencrypted easy to parse traffic.
Msg#: 4628027 posted 2:28 am on Dec 6, 2013 (gmt 0)
Microsoft specifically mentions that they will improve encryption settings on those products, so although now they are not using STARTTLS, it is assumed that will no longer be the case after the upgrade. They have given themselves until the end of 2014 to carry this out, so it probably wouldn't be fair to judge things just yet.
Msg#: 4628027 posted 10:43 pm on Dec 6, 2013 (gmt 0)
Bill, sorry but the quote clearly states the opposite of what you're claiming.
[...] Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, [...]. In other areas we’re accelerating plans to provide encryption.
[my bold] While we know it's simply not true, unless you've specific conditions in place that by far aren't the most common ones to start with. No mention at all of upgrades there: upgrades are mentioned in "other areas".