Microsoft Demonstrates Return of S/MIME E-mail for Outlook Web Access

In a blog post on Monday, the development team for Microsoft Exchange Server 2007 Service Pack 1 showed screen shots of an enhancement to Outlook Web Access that enables encrypted e-mails to be sent and received through a Web browser. The demo marks the return of S/MIME support, which had been introduced to OWA before, but which had temporarily disappeared with the first release of ES 2007.

As with Exchange Server 2003 and prior editions, the demo clearly shows that users will need to download and run an additional S/MIME control along with their browsers. For now at least, that makes S/MIME support a Windows-only function, even though OWA itself can be used through browsers in Linux and other environments.

"The S/MIME feature in OWA is about secure messaging - enabling OWA to send and receive signed and encrypted e-mail," Microsoft's Chongwen Xie wrote on Monday. Later, Xie added, "While it's true that the message is unreadable to anyone who might intercept it while in transit, it is also true that even the Exchange administrator cannot read these messages."

The demo shows the download process for the new S/MIME control, and then shows how that control manages the process of locating and using certificates for both the sender and receiver. This is a somewhat different process than for Outlook itself, remember, because OWA may be used remotely, and a user's certificate may not be housed regularly on the system he's using at the time.

But downloading and installing the S/MIME control is a process which some highly secured terminals may not allow, assuming their admins haven't downloaded the control already for their users' benefit. For Windows Vista and XP SP1 users, group policies can be crafted to disable users with guest's or ordinary privileges from modifying the system - especially from installing an ActiveX control.

In BetaNews' report last week on the availability of the SP1 beta, we mentioned the re-inclusion of the S/MIME feature would be particularly important for businesses who want to present Web terminals to guests who would prefer traces of their messages not be left behind. This characterization aroused the attention of Microsoft, whose representative wrote back today to say such traces would not have been left behind to begin with.

"WebReady Document Access and OWA e-mails are sent with 'no-cache' headers," the spokesperson told BetaNews, "to tell Web proxies and browsers not to cache the files that are sent across the net. The 'no-cache' headers have been available for several versions of Exchange Server to address sensitive items such as message body content."

S/MIME makes its return, the spokesperson went on to say, "for users that are still concerned with the contents of their communications," and who may be worried that contents of messages could still be intercepted either in transit or from residual data that may be left on the public machines - data which the spokesperson says isn't really there anyway.

But an essay written by Microsoft Security Business Unit Senior Program Manager Steve Riley on his TechNet blog last September appears to say otherwise. "An organization who uses OWA values anytime, anywhere, any-device access as being necessarily critical to the success of its business, Riley wrote, "that it's willing to accept the risks associated with such access." One of five risks he lists is this: "Evil person reads left-over attachments sitting in the browser's cache."

Granted, at the time Riley wrote this, S/MIME support in Exchange Server had been suspended. But his comments do reveal that knowledgeable people in charge of security for Microsoft do have this potential vulnerability on their minds.

CORRECTION: Last week, we also said that OWA was first introduced in Exchange Server 2007. This isn't exactly correct...in fact, it's dead wrong by about ten years.

"Web access to Exchange has been around since the release of Exchange Server 5.0," Microsoft's spokesperson reminded us. Somehow, we forgot that OWA's predecessor, Exchange Web Access, was introduced in 1997. We stand corrected.

2 Responses to Microsoft Demonstrates Return of S/MIME E-mail for Outlook Web Access

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.