this post was submitted on 10 Nov 2023
340 points (100.0% liked)
Technology
37719 readers
161 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
What a clickbaity article. I'm all for exposing bad stuff but this article presents zero proof of it transferring passwords. It also fails to highlight the manner of how data voluntarily synced to MS is handled. All in all it doesn't do anything but trying to steer users to it's own services.
So reading another article (https://www.heise.de/news/Microsoft-lays-hands-on-login-data-Beware-of-the-new-Outlook-9358925.html )makes it more clear. If you consent to syncing IMAP account to outlook then it will transfer IMAP username password and mailserver config to Outlook.
I mean, they could have specified that your IMAP credentials would be synced, but it's redundant considering you're telling it to sync.
I know, right? Jesus I hate bullshit tech "reporting" like this. This particular comment just smacks of outrage "journalism":
To be fair, they aren't journalists. They're a privacy-centric mail provider that is warning their customers.
It is very easy to find other sources making the same claim, such as this one which includes an image of allegedly posted json including passwords.
Which I already posted before your reply.
Nice timing. I don't see how warning you that your email passwords will be kept remotely by Microsoft would be "redundant." Many people will assume from that message that it would only send them all your mail, and the even more carelessly optimistic among us might guess that it would be end-to-end encrypted as it obviously should be.
It is end to end encrypted as the data is sent through a tls tunnel. And well, they could spell it out sure. But if that was the only thing the article was complaining about then there wouldn't be many clicks ;)
That is not what "end-to-end" means in this context. In fact, finding out yesterday that Outlook sync is not end-to-end encypted prompted me to look up OneDrive to see if it at least has that feature. It does not, and someone who doesn't know a thing or two about how cryptography works would have a hard time finding out that it does not, because the search results are polluted with people misunderstanding the concept exactly as you do.
Microsoft's own web site goes to great lengths to explain how all your data is encrypted in transit, and encrypted at rest. Their internal security and access control systems are elaborated on in impressive style. You'd think that if they're going to go to all that trouble, and want people to trust them, they would indeed provide end-to-end encryption where it's appropriate. But no, they carefully avoid mentioning the concept. They are unwilling to acknowledge that it might be a thing people expect these days, but they do not go out of their way to correct people who imagine that they already have it.
Could you elaborate on what I misunderstood so I can learn please? They claim tls encrypted tunnel, which is an end-to-end encryption isnt it? Do you mean that the data itself is not encrypted? What is the significance of this compared to a tls tunnel? If it somehow got mitm attacked they could snoop the unencrypted data?
I seriously curious so please explain.
As for third party accounts you can only select IMAP, no pop3, sand it warns you'd be logged in thorough Microsoft servers, they don't even try to hide it