Comment by phendrenad2
2 years ago
sigh It's literally encrypted. You can try to derail the topic, but we're arguing about a very simple fact here. It's either encrypted or not. It's not complicated.
2 years ago
sigh It's literally encrypted. You can try to derail the topic, but we're arguing about a very simple fact here. It's either encrypted or not. It's not complicated.
Yes, it is literally encrypted in transit. This encryption, however, does not offer any value in protecting the user from microsoft stealing their credentials, because microsoft is the recipient of that encrypted message and is able to decrypt the credentials and therefore has access to the plain text password.
Just like this comment I am writing is literally encrypted when it is send to HN, and still everyone can read it.
Okay, I thikn the problem is, when someone says that something is "sent in plaintext" that usually means that it's interceptable. However, in this case, maybe, the author means that "it's being sent in a form that they can use, not just being stored like LastPass or something". Of course, the entire point of the article is that it's being sent in a format that they can use to connect to your server, so it's a strange statement to drop in the middle of the article.
First of all, the article shows that it is indeed interceptable (although they didn't mention which additional steps, if any, were necessary to achieve that).
And yes, the issue is obviously that it is send in a way that microsoft can (ab)use.
> [...] tunneling [through an encrypted channel] back to their servers in plain text
Seems pretty clear to me. The message that is send contains the password in plain text. Any encryption that is applied in transit is absolutely irrelevant and meaningless. Just microsoft receiving the credentials is only marginally better than anyone getting them. In both cases the account will be compromised.
2 replies →