​Microsoft flips switch on new webmail encryption

Following a Google report about Web-based email that raised questions about Microsoft's encryption efforts, Microsoft unveils major encryption milestones, including the use of TLS.

Seth Rosenblatt
Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
2 min read

Declan McCullagh/CNET

Microsoft has pulled back the curtain on its implementation of tougher encryption standards for Web-based email and some cloud services, the company announced Tuesday.

In the works for more than six months, Microsoft has now activated Transport Layer Security encryption (TLS) for its webmail services at Outlook.com, Hotmail.com, Live.com, and MSN.com. This means it will be significantly harder for email originating from and being sent to a Microsoft account to be spied on, as long as the connecting email service also uses TLS.

Matt Thomlinson, vice president of Microsoft's Trustworthy Computing division, said that this work is part of a "comprehensive engineering effort to strengthen encryption."

"This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data," he said.

Although Thomlinson didn't specify the origins of this work, Microsoft's heightened encryption efforts follow an October 2013 report that the NSA had been spying on Internet giants in a program called Muscular. The report was based on documents leaked by one-time National Security Agency contractor Edward Snowden.

Microsoft's move also comes just a few weeks after a well-publicized Google webmail report that painted Redmond in less than flattering colors. Google scored Microsoft, along with Comcast and Apple, as webmail providers with inadequate levels of encryption to protect their users' email.

Comcast and Microsoft representatives told CNET at the time of Google's report that their companies were in the process of implementing TLS for their webmail services. Apple did not return a request for comment.

Microsoft also has activated Perfect Forward Secrecy encryption (PFS) for its cloud storage service OneDrive. The OneDrive website, OneDrive mobile apps, and OneDrive syncing tools will now all use the tougher PFS encryption standard, which protects user confidentiality even when an third-party is eavesdropping on the network.

Finally, Microsoft has opened a "transparency center" at its headquarters in Redmond, Wash., where governments can review Microsoft source code for "key products" to confirm that no hidden backdoors have been added to the software. Microsoft has not revealed which of its products will be available for review.