Office365 outlook security

Microsoft used to have a bad rep for security, but since they introduced their secure development lifecycle about a decade ago there has been a noticeable improvement.

Perhaps I shouldn’t have been surprised to notice something amiss today, but I was. I was using the Office365 outlook web app and noticed an issue with the SSL security being reported in my browser.

outlook address bar icon

/sigh.

Which of the common and basic security mistakes have they made this time?

Outlook security report

Part of the page is not encrypted? I guess someone hard-coded http somewhere.

For those out there not familiar with this problem — it goes something like this: web pages are actually made up from many different files. There is the main page you visit, then any images that are used, then a bunch of other files, like style sheets or JavaScript which tell the page how to look and behave. When accessing a website ‘securely’ (using https) all of these files should be transmitted to your browser encrypted using SSL. However, sloppy coding can mean whilst the main page is loaded securely, one or more of the other files are not. Depending on the nature of those files, this may represent a security or privacy risk.

C’mon Microsoft, you can do better.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s