Comment by phendrenad2
2 years ago
Okay but the existence of a problem does not change the simple fact that it's encrypted. So many people arguing against this point out of some misguided sense of fuzzy logic.
2 years ago
Okay but the existence of a problem does not change the simple fact that it's encrypted. So many people arguing against this point out of some misguided sense of fuzzy logic.
It is encrypted in transit, but Microsoft is on the receiving end of that transit and gets the plain text password. The encryption does nothing to prevent the third party, that is Microsoft, from impersonating the user and reading all their mail.
sigh It's literally encrypted. You can try to derail the topic, but we're arguing about a very simple fact here. It's either encrypted or not. It's not complicated.
Yes, it is literally encrypted in transit. This encryption, however, does not offer any value in protecting the user from microsoft stealing their credentials, because microsoft is the recipient of that encrypted message and is able to decrypt the credentials and therefore has access to the plain text password.
Just like this comment I am writing is literally encrypted when it is send to HN, and still everyone can read it.
4 replies →
It's worse: anybody who can proxy the communication between Outlook and the MS servers can impersonate the user.
It is not entirely clear to me from the article that this is the case. I'd assume that they had to at least install their MitM certificate into the OS's trust store to intercept that message. If not then this is indeed even worse.
How would a hashed password fix that problem?
It would make it harder for them to impersonate their users and read all their mail. I would still be concerned that they want to run a rainbow table attack against it though. They should not steal user credentials at all, because it is simply not necessary for a functioning email client.
2 replies →
Gur rkpvfgrapr bs rapelcgvba qbrf abg punatr gur fvzcyr snpg gung jung gurl ner qbvat vf onq sbe frphevgl naq ubeevoyr sbe cevinpl.