The Hacker News — Cyber Security, Hacking, Technology News

After the wide chain of scandals over US global snooping that seriously damaged the trust on the top U.S. Tech companies, Google and Yahoo! came forward and took initiative to provide more secure, encrypted and NSA-proofed service in an effort to gain their reputation again among its users.

Now, Microsoft has also announced several improvements to the encryption used in its online cloud services in order to protect them from cyber criminals, bad actors and prying eyes. The company effort detailed in a blog entry by Matt Thomlinson, Microsoft's Vice President of Trustworthy Computing Security.

MICROSOFT’S COMMITMENT

Last December, Microsoft promised to protect its users data from government snooping by expanding encryption across its services, reinforcing legal protections for its customers’ data and enhancing the transparency of its software code, making it easier for the customers to reassure themselves that its products contain no backdoors.

Yesterday’s announcement comes as an achievement in its ongoing endeavor.

ENABLED PERFECT FORWARD SECRECY (PFS)

Both Outlook.com and OneDrive have been empowered with Perfect Forward Secrecy (PFS) encryption support for sending and receiving mail between the e-mail providers.

Perfect Forward Secrecy is an encryption technique that uses randomly generated encryption key for each connection on a per-session basis, making it even more difficult for cyber attackers to decrypt the connections.

That means, from a service without PFS, government or hacker can demand or steal the long-term secret key used to secure connections and with the help of it they can decrypt that particular session to which the key belongs as well as all past, recorded sessions. But, using PFS, one can prevent itself from this situation, as in this case, compromising one session's key only enables them to decrypt that particular session.

But Perfect Forward Secrecy (PFS) will only protect the connections between the Outlook.com server and other email providers, not the connection between the end user and the Outlook.com server.

MAKE USE OF TLS

In addition to this, both inbound and outbound mail on the Microsoft’s Outlook.com service will also make use of Transport Layer Security (TLS) encryption when communicating with other mail servers that also support TLS. This will make it more difficult for any eavesdropper to listen in to the communications.

Microsoft has worked with a several other mail providers to ensure that the communication is encrypted in transit.

“Over the past six months, we have been working across the industry to further protect and help ensure your mail remains protected,” said Thomlinson. “This includes working closely with several international providers throughout our implementation, including, Deutsche Telekom, Yandex and Mail.Ru to test and help ensure that mail stays encrypted in transit to and from each email service.”

OPENED TRANSPARENCY CENTER

The company has also opened its first "Transparency Center", on its Redmond campus, WA, where Governments can participate to analyze Microsoft source code to confirm that there are no "backdoors" and assure software integrity.

Microsoft had previously announced a Brussels Transparency Center, which is another goal in its list to achieve.

JAVA SCRIPT CRYPTOGRAPHIC CODE FOR DEVELOPERS

Also last month, Microsoft Research team published an under-development JavaScript cryptographic library that extends the W3C WebCrypto API for exposure to software developers and researchers interested in cloud and browser security.

Microsoft Research JavaScript Cryptography Library is designed to work with HTML5-compliant cloud services. Cryptographic library been tested on IE browsers 8, 9, 10, 11, the last Firefox, Chrome, Opera and Safari.

“It provides useful utility functions, such as endianness management and conversion routines. The big integer library is likely to change in future releases. There are also unit tests and some sample code.” Microsoft said.

The library is still under-development and currently supports encryption/decryption of RSA (PKCS#1 v1.5, OAEP, and PSS), AES-CBC and GCM, SHA-256/384/512, HMAC with supported hash functions, PRNG (AES-CTR based) as specified by NIST, ECDH, ECDSA, and KDF (Concat mode).

ON HIGH-PRIORITY YAHOO! is finally rolling out encryption implementation over their site and services in order to protect users. Yahoo is rapidly becoming one of the most aggressive supporters of encryption, as in January this year Yahoo enabled the HTTPS connections by default, that automatically encrypts the connections between users and its email service.

November last year, Yahoo revealed plans to encrypt all information that moves between its data centers and finally from 31st March Yahoo has taken another leap in user-data protection through the deployment of new encryption technologies.

NSA TARGET LIST - GMAIL, YAHOO, ... many more.
Last year, It was revealed by Edward Snowden that under MUSCULAR program, the spy agency NSA was infiltrating the private data links between Google and Yahoo data centers.

After finding themselves in the NSA's target list, Yahoo! and Google forced to think hard about the security and privacy of its users. Google had replied back to the NSA in its own way by encrypting its Gmail service between the company’s data centers to make sure that its users’ personal information is safe from the prying eyes. 

YAHOO <3 ENCRYPTION
On this, Yahoo! also revealed its plan to encrypt entire information at the end of Q1 of 2014. The Company has announced that:

• now it encrypts traffic between its data centers to help protect its users from mass surveillance.
• turned on encryption for mail delivery between Yahoo Mail and other email services that support it, like Gmail, support the SMTP TLS standard has been enabled.
• The Yahoo homepage and all search queries will now also run with https encryption enabled by default. 

Even if the government taps data cables; it won't be able to read your messages. “We implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many of our global properties such as Homepage, Mail and Digital Magazines,” Alex Stamos, Chief Information Security Officer, said in a blog post.

ENCRYPTED YAHOO MESSENGER.. Coming soon
In the meantime, a fully encrypted version of Yahoo Messenger will land soon to protect users from snooping. Late in February this year, Snowden revealed about project ‘Optic Nerve’, under which US Spy agency NSA helped British Spy Agency GCHQ to allegedly capture and store nude images and others from webcam chats of millions of unsuspecting Yahoo users.

“Our goal is to encrypt our entire platform for all users at all time, by default,” said Alex Stamos. “Our fight to protect our users and their data is an on-going and critical effort,”

Additional upcoming security measures taken by Yahoo include implementation of HSTS (HTTP Strict Transport Security) to ensure that web browsers are using only secure HTTPS communication, Perfect Forward Secrecy to generate unique keys for each user session that prevents users from session hijacking attacks, and Certificate Transparency.

”We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy.” he added.