Comment by matrss
2 years ago
First of all, the article shows that it is indeed interceptable (although they didn't mention which additional steps, if any, were necessary to achieve that).
And yes, the issue is obviously that it is send in a way that microsoft can (ab)use.
> [...] tunneling [through an encrypted channel] back to their servers in plain text
Seems pretty clear to me. The message that is send contains the password in plain text. Any encryption that is applied in transit is absolutely irrelevant and meaningless. Just microsoft receiving the credentials is only marginally better than anyone getting them. In both cases the account will be compromised.
You're free to throw away the common-sense definitions for things, and substitute your own, but I'm going to call you on it, and you shouldn't expect people to do otherwise.
I did not throw away any common-sense definitions. I never denied that the message is sent encrypted, i.e. is encrypted in transit. That is entirely irrelevant here though, since MS will be able to decrypt the message because they specifically are the recipient of that encrypted message and therefore will have it in plain text. If you do not see a problem with that you are free to comment your mail credentials here; they will be encrypted so that shouldn't be a problem, right?