Comment by gmueckl
2 years ago
Well, two counter-points: 1. their TLS implementation isn't secured against MitM attacks. 2. They receive the the full plain text password, not a a hash.
Not sure if it's apparent from the English version of the article, but Heise performed a successful MitM attack to extract the plain text password from the daa stream.
What use would a hash of the password be when the purpose is to log in as the user?
You're correct it's necessary for how they use this, to impersonate a user and 'clone' their email data. But then, that is the problem, they shouldn't be able to do this at all.
Okay but the existence of a problem does not change the simple fact that it's encrypted. So many people arguing against this point out of some misguided sense of fuzzy logic.
14 replies →
it is not a hash
They didn't say it was. They were asking what use a hash would be.