Comment by phendrenad2
2 years ago
Okay, I thikn the problem is, when someone says that something is "sent in plaintext" that usually means that it's interceptable. However, in this case, maybe, the author means that "it's being sent in a form that they can use, not just being stored like LastPass or something". Of course, the entire point of the article is that it's being sent in a format that they can use to connect to your server, so it's a strange statement to drop in the middle of the article.
First of all, the article shows that it is indeed interceptable (although they didn't mention which additional steps, if any, were necessary to achieve that).
And yes, the issue is obviously that it is send in a way that microsoft can (ab)use.
> [...] tunneling [through an encrypted channel] back to their servers in plain text
Seems pretty clear to me. The message that is send contains the password in plain text. Any encryption that is applied in transit is absolutely irrelevant and meaningless. Just microsoft receiving the credentials is only marginally better than anyone getting them. In both cases the account will be compromised.
You're free to throw away the common-sense definitions for things, and substitute your own, but I'm going to call you on it, and you shouldn't expect people to do otherwise.
I did not throw away any common-sense definitions. I never denied that the message is sent encrypted, i.e. is encrypted in transit. That is entirely irrelevant here though, since MS will be able to decrypt the message because they specifically are the recipient of that encrypted message and therefore will have it in plain text. If you do not see a problem with that you are free to comment your mail credentials here; they will be encrypted so that shouldn't be a problem, right?