Comment by Fischgericht

TLS is only transport encryption. The password will be transmitted in clear before and and after that transport.

This is not at all comparable to other "store my passwords inside the cloud"-systems, where the passwords are encrypted and decrypted on the users' devices, without the encryption key going to the cloud provider - that's the way it's handled in Password Managers, Chrome Auto-Fill etc.

And I would expect Microsoft asking the user for explicit consent "May we take your IMAP password and transfer it and store it in our cloud?" in easy to understand wording so people understand the consequences (for example getting fired for having punched a gapping hole into your employers security policies like "Don't share this password with anyone")

That expectation would match the law in the EU.

And in addition, inside the EU it would also have to guarantee that the password will only be stored on servers inside the EU, and not end up, for example, with the NSA. And even then it still might not be legal.

And from a user's perspective: Certainly a big chunk of users that have been using email software for the last decades would assume that an email client installed on your PC is doing the IMAP access locally. There is no need for your IMAP credentials to go to Microsoft. Merging your local mail store from multiple sources inside the client is what email clients have been doing for the last 20 years. There is absolutely no need to move this to the cloud. Yes, my computer can handle merging email folders.

> What else would you expect?

I would expect user credentials to not be uploaded without giving an extremely explicit explanation and receiving informed consent from the user.

I would expect Microsoft not to be on the receiving end of my plaintext password.

IMAP supports a multitude of authentication standards, including hash and key-like, so the above is not necessarily true, however it is unlikely that Outlook supports them.

Client certificates are supported by both Thunderbird and K9, would prevent this type of issues.

In the cloud first era, your value is derived from how much customer data is under your control. Not for resale primarily but for stickiness. It's like the dot com era, only for real this time.

I would expect that my local e-mail client is making the connection to my IMAP server. Not a connection to Microsoft servers which then in turn connect to my IMAP server.

>Once you've decided to send the actual password,

But you haven't. Microsoft has decided that for you - without telling you.

The more I think about it - that's not even just a GDPR issue, it's blatant malware behavior.

Another reason to use something else than passwords with IMAP for authentication.

I would expect them to at a bare minimum encrypt it using a temporary public key before transmission, in case TLS connection was MITM'ed, and I'd expect them to use those fancy hardware security modules (HSM) they have[1] to protect it on their side.

[1]: https://learn.microsoft.com/en-us/azure/key-vault/managed-hs...