Comment by montjoy
2 years ago
It’s encrypted between the starting point (Microsoft) and your ISP. Microsoft is the “client” in this case and just like you can read your email in Outlook or Thunderbird, MS can read all of your email that they pull over from you ISP.
Yes I know but saying TLS is 'plaintext' is completely silly. It's like saying your credit card number is transmitted in plaintext when you do a TLS ecommerce transaction.
I do understand the point that the article is making, but implying that TLS is equivalent to plaintext is just plain hyperbole. What else can Microsoft do (assuming they want to do this feature?). Encrypt it again on the client side, then put it in the TLS tunnel? It's just double encryption at that point. They need the password
FWIW the amount of users still using unencrypted IMAP is often pretty high in outlook or apple mail. Now that is a security issue. Try using a wifi packet analyzer at a large conference. I bet you'll see multiple or even dozens of plaintext IMAP passwords going thru the air.