On Tuesday, Microsoft announced that they have just upgraded their entire Outlook.com mail environment to an Always On SSL experience, protected by Extended Validation (EV). This means that all of the user’s data is protected via 2048-bit encryption – not just the log on page – on Outlook.com, as well as Hotmail, and Live.
This is a big deal. Always-On SSL is the most recommended way for any kind of social media to be enabled for user security. When a site is completely hosted over HTTPS, the user is much better protected from attacks and surveillance. For example, on sites without Always On SSL, although the logon would be encrypted, if the subsequent pages are not protected by HTTPS the cookie with the login credentials could be intercepted and used for malicious purposes.
The dangers of not enabling SSL throughout a website have been illustrated by the public warnings about Firesheep and other Side-jacking exploits. Having one’s security compromised isn’t just a coffee house or airport problem anymore; it can happen while casually surfing to the wrong sites, or even to legitimate sites that just don’t protect their users enough.
The sheer size of this project was daunting – Microsoft likely had to enable SSL on tens of thousands of servers to protect the users in all three popular webmail and social sites. They chose to use EV certificates with RSA keys of 2048-bits ahead of the industry recommended deadline December 2013, to protect their customers. And best of all, they spent the time in their blog to educate their users about what it means to surf safely and look for the green bar.
Symantec is proud to be the chosen Certificate Authority for Microsoft’s EV implementation. And we salute them for using best practices in their Always-On SSL solution, as recommended by the Online Trust Alliance.