Microsoft is building a universal Outlook client for Windows and Mac that will also replace the default Mail & Calendar apps on Windows 10 when ready. This new client is codenamed Monarch and is based on the already available Outlook Web app available in a browser today.
Project Monarch is the end-goal for Microsoft’s “One Outlook” vision, which aims to build a single Outlook client that works across PC, Mac, and the Web. Right now, Microsoft has a number of different Outlook clients for desktop, including Outlook Web, Outlook (Win32) for Windows, Outlook for Mac, and Mail & Calendar on Windows 10.
The mail client in Windows will carry the well-known Outlook brand and will be a web app. You know, just in case you wanted to know how much faith Microsoft has in its own native application platforms. If not even Microsoft itself cares enough to write native Windows applications, then who does?
The Windows application ecosystem is a complete and utter mess.
Good. The Mail & Calendar client on Windows 10 can’t even rotate photos properly. I use the web app nowadays, I’ve been leaving feedback for this issue for a couple of years now.
I hope MS will do a year of using the new design internally before letting anyone else use it. The Windows 8 client was borderline useless.
A mail client should be a perfect test for the Universal platform. I don’t care about what is used to make an application, only how it performs matters.
This new Outlook app is not built using UWP and that’s the problem highlighted on the post. Microsoft is pushing all sorts of bullshit to its third party devs in hopes of vendor lock-in, yet declines using that same technology for its own applications.
I’m not going to be giving Microsoft’s cloud systems the credentials to my various IMAP and standalone Exchange accounts, and I’m not going to let them fetch and store my email for me.
That makes my self or locally hosted emails the “business records” of a US corporation.
That makes my self or locally hosted emails subject to Microsoft’s Terms of Service – if I engage in an email exchange they don’t like, they can remove my access to my own emails.
I really doubt this will displace the local Outlook Win32 app any time soon (too many ppl invested in it, and Electron+OWA will never come close to replacing it), but it will likely displace the Windows 10 Mail app (which is fine for what it is). And then MS will move onto a new shiny in a few years time.
In the meantime, I’ll be pushing customers and acquaintances to move away from Microsoft even more.
The1stImmortal,
You’re right, this absolutely goes against best practices. Often times IMAP services use single sign on credentials which can authenticate against all a user’s services. If a user gives their credentials to microsoft, it could give microsoft the ability to log in to their employee accounts, etc.
It’s one thing when the company providing email service provides a web client since they already explicitly had access to the data anyways. But now if you’ve got one party hosting the service, and another party providing a SaaS client, you’ve increased the number of parties with access to your data and you’ve increased the failure modes as well.
Microsoft just needs to pop up a window telling users the way they access their emails is changing. Most users won’t question it and will readily provide their credentials, haha.
See my comment about Progressive Web App, so in theory they don’t need to send any data to Microsoft.
Lennie,
I responded to that post. It is an interesting topic though. At a minimum microsoft servers would be used to proxy traffic (and see limited metadata as a result). However the traffic being proxied could be encrytped client side by the PWA application. This means they’d have to handle the SSL/TLS encryption in javascript, which would be unorthodox, but feasible. This opens up the question of how the web application would verify the authenticity of the SMTP/IMAP certificates that microsoft is relaying back to the client. I’m not aware of an API to verify arbitrary certificates in javascript and even if there is one there’s the fact that many SMTP and IMAP servers are self-signed by their respective administrators so some provision would be needed to support these. In traditional clients the user is usually asked to manually confirm new certificates once and the client remembers it for the future. This behavior could be mimicked by the PWA. Alas, this boot strapping problem does pose a risk for active middleman attacks and chances are the users will not bother checking the certificate hashes manually. Since microsoft would be playing the role of middle man in this case, it would be feasible for them to exploit their ability to intercept and change IMAP traffic, including the certificate used to encrypt the session.
All of this is theoretical of course, but as I indicated in the other post I don’t think microsoft is even going to bother encrypting user data from themselves, they’ll just give themselves implied access. Normal users will accept it. There could be more pushback from corporate admins who don’t want their users sharing their credentials with microsoft, but who knows; they’re already handing out keys to cloud services so what’s one more.
Microsoft made a Progressive Web App in 2019:
https://www.theverge.com/2019/11/26/20983886/microsoft-outlook-com-pwa-progressive-web-app-install-features
Which is basically: an offline web application, with automatic updates.
In theory it would not need to send any of your data to Microsoft.
Here a longer description:
https://www.educative.io/blog/build-modern-apps-progressive-web-apps
Lennie,
Yes, I’ve used it. It works fine if you can accept the usual cons of SaaS. I’m not sure if this is a sign of things to come or not, but in beta products microsoft was willing to push WPAs to windows users without asking…
https://www.pcworld.com/article/3586195/microsoft-is-encouraging-office-pwas-which-could-change-how-you-work-with-apps.html
Recent reports say that Microsoft may be pushing Office PWAs to Windows Insiders without their permission. While we’d hope that practice never goes mainstream, it’s worth learning briefly about what the Office PWAs actually are, and how they can help.
First, here’s what’s happening: Windows Latest reported Wednesday that members of the Windows Insider beta program were being pushed the various Office apps as Progressive Web Apps, or PWAs, without opting in.
Good point, however there are caveats. Browser vendors have intentional placed limitations on what can be done in the browser. In this case critical functionality like network sockets cannot be done inside of the web application. While I understand the security reasoning that browser vendors don’t want to allow web pages to do socket IO, it significantly limits the full potential of web applications, which can be frustrating. For example I find it very useful to run a web application for VNC, but owing to browser limitations no direct connections are possible and the traffic has to be routed back through the web server. And given that the web server is likely running on a different subnet, it can require you to further open up your private network on public interfaces…ugh. Local clients don’t face these kinds of limitations.
Theoretically you are right that microsoft could implement the security in the browser and then just only rely on microsoft’s servers to proxy encrypted traffic. But something tells me they wont do this because it would likely be much slower than caching & indexing emails directly on the server. I suspect that HTML5’s limited persistent storage would also struggle to hold the copious amounts of emails that we all have. So my gut says that microsoft really is going to take your credentials to download emails server side. But this is just my speculation. If you find concrete information about how microsoft is handling security credentials, please link it since I am curious.
It seems they’re basing the various PWA instances off of OWA’s code, from what I can read and extrapolate from released data.
If so, then what they’re doing is allowing the UI code to run locally, and caching some kind of custom store of data used by the UI, but using Exchange Online for the backend-heavy lifting.
This seems to be similar to what Google is pushing as well, using their email hosting service as a nexus for various accounts, whether or not they’re the actual delivery point for that email.
If I’m correct (and it seems likely to me that I am) then yes, Microsoft will have to have your data.
In theory I suppose you could write a PWA that handled IMAP/POP3/etc locally, but I really can’t see MS doing all that (and I wouldn’t be surprised if there’s some kind of security hurdles in browser engines to overcome there)
There’s no real reason that the web app needs to store your emails on the server. It could just as easily fetch at the client using some creative javascript machinery.
Of course, they want all your base to be on their servers so they will probably set it up that way.
But in regards to companies, so many of them are already hosting everything on Microsoft’s platforms anyway so there’s little concern about using yet another Microsoft web application to get at your mail. Hell, the company I’m working at is using Microsoft’s SSO platform to authenticate our access to 3rd party external suppliers so MS theoretically grant themselves access to everything if someone there was so inclined to get it.
No need to panic (yet). My guess desktop version will probably use Microsoft’s React Native UWP bindings. So I think it will be distributed as Store app on Windows 10 and will operate offline. But it will come with questionable performance and code quality 🙂
I was happy with Outlook Express until Microsoft’s office politics got in the way and they began claiming it was/wasn’t part of Windows and messing things about with new applications which, incidentally, decided not to work with the Word spelling checker unless you had the latest version. I have never used and do not want to use Outloook. All of this was a good reason to shift to Thunderbird years ago and I haven’t looked back.
@The 1stImmortal
A good reason not to use anything American, tbh.
UK law is dodgy enough with a lot of mission creep and retrospective law when the security services get caught with their hands in the cookie jar. EU law is much better as the EU takes human rights more seriously. Anyone who thinks the US does not use your data for espionage and sometimes misuse for political or business reasons is living in lah lah land.
I love how they flip the bird to Linux users. A web app would work fine on it, just as OWA does. Not that any self respecting Linux user would use it, but that didn’t stop them porting Edge.
Neat! Now MS just needs to announce EdgeOS as their consumer OS. 🙂
I’m not fussed, I doubt giving a MS Desktop App your credentials is any more secure than a Cloud App, if a MS based attacker wants the credentials they’ll get them.
Of course the generalised debate about SSO and other methods of authentication are not MS limited.
I can see a time coming where end users get sick and tired of two-factor, in it’s more basic forms that people currently endure. I think all the major OS providers need to get serious about multi-factor using one or more biometric forms as an included vector so that it becomes seamless to the end user experience.
There are some interesting ideas surfacing in the industry regarding “Online” versus “Offline” with many now arguing “Offline” is virtually redundant, of course many of us do not agree. Myself I have machines that operate air gapped most of the time, but then sporadically have to be connected in some way to dump or receive Gb of data, any connection at all is a risk.
cpcf,
Well, it’s fine if you aren’t fussed. But there’s a pretty stark difference between a company stealing credentials via trojan horse inside their software versus them having credentials in their database by design. In the case of a trojan, it leaves more provable evidence. However once our data it’s in their possession in the form of a service, we have no evidence of their unauthorized activities.
I don’t want to get into tin foil hat territory, but there are nefarious actors. Just take a look at ticketmaster successfully stealing passwords for competitor systems in order to gain a business advantage.
https://nbcpalmsprings.com/2020/12/31/ticketmaster-to-pay-10-million-in-fines-after-admitting-to-illegally-accessing-competitors-computers/
Even if you trust the company, it doesn’t necessarily mean you should trust all the employees. When a company holds your personal data, it could be a tempting and lucrative target for employees. In the past I remember some google employees were caught snooping around user data in order to stalk them IRL. But in terms of best practices, it’s clearly best for users to be the only ones with access to their own credentials. 3rd parties should not have access without an extremely compelling reason.
There’s also a legal consideration: a company like microsoft cannot be compelled by the government to add trojan horses to their software. However companies can be legally compelled to release all the information they hold on users. The snoden leaks revealed that the NSA did this routinely and in automated fashion. This same issue has come up in cases with apple and the FBI. Again, maybe you wouldn’t care either way, but it’s notable because our legal rights do change depending on the technicalities of the implementation.
Despite all of this, I will concede your “I’m not fussed” attitude is more representative of what the general public thinks.
The problem with bio-metrics is that you can’t change them once they are compromised. Furthermore biometrics live in the analog world where algorithms are necessarily lossy meaning some false positives may be unavoidable in order to reduce/eliminate false negatives. Bio-metrics are at best a temporary measure since they only have a limited lifetime until they are broken. Many biometric systems already have been defeated and I’m pretty confident it’s only a matter of time before they all our. I still think the “something you have + something you know” 2FA remains the best practice. IMHO biometrics are better suited for cases where the need for convenience outweighs security and that the effort of defeating security and even dismembering body parts outweighs the value of theft. Admittedly our day to day mobile use might fit in this category, but it isn’t a panacea.
Alfman.
Isn’t that the point, the mechanism is indifferent, desktop or cloud the nefarious actor can be driving either. Where your data is physically located in that respect means very little if the nefarious actor has access. The problem isn’t where your data is, it’s the nefarious actor who controls it!
Ultimately, we are not in control, not even of the hardware we own.
Rogue employees whether because of neglience or driven by careerism are sadly rife especially in organisations (state or private sector) with no meaningful oversight and weak or badly applied policy or lack of redress whether legal political, or via the media. beyond a certain point this can become normalised at which point you have to enquire how many dead bodies are required before this inadequacy is corrected.
if anyone thinks its bad when discussing hardware or software what about the bodily autonomy or women or human rights abuse victims? What about your right to have a career in an environment which isn’t psycholocially abusive or coercive?
In my experience rogue employees and careerists tend to develop repeat behaviour and become very good at hiding within the organisation or covering up.
cpcf,
No. I’m not sure why you are completely ignoring the numerous points I made as to why they are so different. It makes a very big difference that user data is one database query away versus having to build a trojan to collect it remotely, provision secret command and control infrastructure & channels and find a way to hide it from everyone. Code tracking systems will leave strong evidence of guilt. If internal code reviews miss it, many 3rd party researchers find this sort of malware as part of their jobs so the odds of getting caught are pretty high. Obviously there’s a huge difference between this and a simple database query done behind the scenes.
I think your point was that you have to trust microsoft one way or the other and at a high level that is true. But the fact of the matter is that any data that companies are not mass collecting into their silos is safer from prying eyes. The data they don’t collect is also much safer from the mass corporate data breaches we see year after year.
I agree we see this more and more. Our computer tech is becoming increasingly locked to 3rd parties. This happens in large part because most consumers are not putting up much resistance when companies build master keys for themselves. Personally I do try to protect my rights when I can but alas I’m on the same roller coaster as everyone else.
Are you looking for Best Bezel Less Monitor? Then you are at the right place as we will be telling you what are the 10 Best Bezel Less Monitor that you can get in 2020 for your home or office use.
Does one think that the amount they surf, play online games and research, and read that the display which is small and the huge bezel that they have will satisfy them? In a generation, where people are so dependent on technology and their computer, is it good to strain the eyes? It is not healthy to settle for cheap monitors which will cost you later in life. There are millions of monitors which are available in the market with Bezel-less look and are safe.
https://www.newmeaccelerator.com/best-bezel-less-monitor/
With the advancement and progress in the field of technology, it is a new trend these days to make Bezel-less monitors. Bezel-less in simple plain terms means a computer with the thinnest screen which has a 0mm frame.
It counts frames which have less than 3mm or less than that of a border. Companies these days are making edge to edge and frameless designs. The maximum they have gone for is less than 1mm bezel but not 0mm as there is no such product yet available in the market.
These edgeless and slim monitors give a modern, elegant look. It does not distract the user as well as to what’s going on around the screen. It is usually preferred by gamers who use multi frames to play games as it helps for easier concentration.
Are you looking for Best laptop under 35000 then you are in the right place as we will be telling you Best laptop under 35000 that you can get for your school or office use.
With the increase in technology and advancement in this field, sometimes it is difficult and painful to find a good laptop within the defined price range. These laptops can vary in specifications which makes it hard to select the best.
https://www.niamindia.org/best-laptop-under-35000/
Buying a laptop is a very important investment for any individual. In this generation having a laptop is very important since every work is done online. Especially looking at the scenario right now what is happening around the world, online working is very important.
With that SOlarwinds hack, I’m doubtful if I can trust that. ALso, that may spell the end for offline email access.