As an email host... I've been turning New Outlook off for clients for weeks trying to explain this.
Apart from the security issues, it's also very annoying to have to explain that I can't actually troubleshoot any IMAP connectivity issues when your machine isn't the one thats actually making the connection.
Now we've been internally discussing whether we should just firewall off whatever Azure ranges are connecting to our IMAP backend servers and intentionally "break" the functionality. Not my first choice, but users keep seeing the "New" toggle and turning it on, causing all sorts of other uncontrolled chaos!
Cloud-first, in all the wrong ways. It's supposed to be a local app..
I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?
This IS a big deal and should be a scandal people are educated about, and Microsoft should be forced to stop this immediately. It's interesting that Microsoft appears to have managed to stay under the radar with these deceptive tactics...
We first discovered this while troubleshooting why we were receiving logins with an old password.. after updating the settings in Outlook. They had no other email clients, but the 'New Outlook' didn't actually send the updated password to the Microsoft cloud due to a bug :P
Imagine my surprise discovering that this little banner in their Outlook settings that said "Using Microsoft sync technology" actually means "This is no longer really a local IMAP client".
> I am a bit puzzled that I have not been reading about this in any big US media, not even IT ones. How did you first learn about it?
If Microsoft has the power to pay the EU for laws in its favour, i presume (i am actually sure see "die Welt") that paying some newspapers poses no big logistical problems.
The big logistical problem is: How do you select which newspapers to pay?
All of them? Now you've announced that you've got something to hide and are trying to to pay off newspapers to hide it. One of them is going to decide that this story is too juicy not to publish.
Only those that find out some other way and ask for comment? Well, in this case Microsoft didn't reply to c't Magazin's request for comment before publication...
Just one or two probably.
One right and one left wing publication.
One side writes a piece, something like:
"How the new Outlook saved my {insert protected class}", another one on the other side something like "New Microsoft Outlook uses your mail credentials to steal your DNA via nanosites because Bill Gates wants access to your children."
And then the rest of the media pick it up from there, spin it in their respective direction, receiving their generous donations from one of the numerous MS foundations that funnel money into these places, based on how damaging their puff pieces were.
Now nobody cares about the problem anymore because they are too busy fighting each other.
"How the new Outlook saved my LGBT"
"How the new Outlook saved my Woman" (Hey, this actually parses! Though not in the intended way...)
"How the new Outlook saved my African American" (ok, this is getting troubling)
"How the new Outlook saved my Christianity" (The first article I'd actually read)
"How the new Outlook saved my Age" (big scope!)
"How the new Outlook saved my Ex Serviceman"
"How the new Outlook saved my Disability"
MS (and other enterprise big tech) gets laws in their favor in the EU because the EU has no solid alternative to MS. There is no EU based big cloud provider with similar capabilities, software ecosystem, integration, nobody offering a comparable office suite, familiar operating system with legacy compatibility, collaboration platform, etc.
Even when you have solid competitors for individual components, the whole package is hard to resist. So they're stuck with MS for the moment, and slowly get absorbed in that ecosystem making it even more entrenched. But MS doesn't need to pay to get the law, they just have to let EU companies try out alternatives until they go back to being slowly boiled with MS. The EU is looking for excuses to excuse MS because everyone decided the price we all know now is worth paying to get access to a full ecosystem that fills all other needs.
Effectively the EU is "paying" MS to stay, not the other way around.
As I said at the beginning, this applies to most other enterprise big tech companies from the US. MS in particular has a hook others don't: most companies right now are still solidly tied to Windows, Office, AD/Entra. This is the slope that easily leads to the whole M365 environment. It's hard even for Google to compete with this. And it's impossible for the almost non-existing EU offering in this space to compete. There are lots of individual services that could compete 1:1 with the equivalents from MS or Google but nothing that can compete with the full ecosystems and vertical integration they provide.
Even so, a law that benefits MS will also benefit Google under these circumstances. Any law that locks out MS or Google (like GDPR which constantly sees "exceptions" carved out) will have some severe economic repercussions on EU companies, not to speak of the political/diplomatic ones with the US.
MS doesn't need to do anything. They don't need to pay anyone off. EU bureaucracy is extremely strongly wedded to MS products like Windows, Office, Teams, Outlook etc. As are all EU national bureaucracies and public institutions.
There are firm opinions by e.g. the BSI (German IT security office, comparable to something between NSA, mostly NIST, DHS and ANSI) and other equivalent European national offices that it is practically impossible to operate modern MS products securely. E.g. there are guidelines from BSI like "we know that in that exact version (which is years old, because the guideline took ages to write) you need to set the following registry keys to prevent data exfiltration. Btw. this won't help you, because you also HAVE to upgrade within a few weeks of each available update". There are firm opinions by multiple European data protection offices that basically say the same about GDPR compliance in MS products. Practically impossible to achieve, there might have been that one configuration, "Once upon a time of writing the report, with that specific version of Windows and Office, when firewalling off half of azure, setting those 300 registry keys, manually deleting the following files, illegal telemetry could no longer be observed. Also, you are obliged by GDPR to follow good practice and update regularly, so good luck with that...".
Basically it is illegal to process any personal data using MS products in the EU if the processing system has any kind of outgoing internet connection. All the bureaucracies ignore this systematically, citing the "impossibility" of working without said MS products. Migration plans away from those illegal processes are regularly cancelled, ignored or never completed. MS is free to do whatever it wants, they are never really investigated, fined or held to any laws.
Meanwhile, other big IT firms like Meta, Google, Twitter/X and lots of others are held to far higher standards. Where tons of your local government's data about you like tax report, criminal records, school records and similar things are subject to being exported to the US via Azure, MS telemetry and what not. With FAANG there is complaining about comparably laughable stuff like "well, that IP address that Google Fonts could observe...".
The problem, why this doesn't change, is that the local government institution is responsible for their data processing (according to GDPR and other laws), MS being only their contractor. And those government institutions are usually (in almost all EU states) free from GDPR and other penalties, and those penalties would be left-pocket-to-right-pocket anyways.
This is why MS gets a free pass on everything. Imho this must end.
Why even pay newspapers, when most do not understand the problem anyway, so do not want to read about it?
Microsoft is already taking so much data, I would have trouble to explain to the layperson, why this incident is worse, than all of the other shit they are doing.
> Cloud-first, in all the wrong ways. It's supposed to be a local app..
It's actually a really weird app. I have a windows PC I sometimes use at work, loaded with all the corporate crap, among which a full up-to-date installation of office 365. Since this machine isn't mission-critical, I sometimes like to check "what's new", so I've switched to the "new outlook".
Yesterday I got an email from someone with an attached Word doc. Usually, I just read those inside outlook, since I only need to skim them at best.
But this time, I clicked "open in word". The thing took ages. First it uploaded the doc somewhere on onedrive (didn't ask me anything). That took a good few seconds. Then it proceeded to open a browser window with a spinny thing doing whatever it is ms products do when they have you waiting around for no apparent reason. Then it finally opened the doc in word online. All the while having a perfectly good copy of word sitting on the same nvme drive as the freakin' attachment.
Now, this computer isn't the latest thousand core threadripper or nothing, but it was still the longest I've ever had to wait around for a 2 page text-only word doc to open.
I wonder if this related to the Edge feature of "freezing" tabs, since New Outlook is clearly an Electron-like contraption, but I think they're supposed to use the Edge Web Views instead of shipping their own electron runtime.
At least it doesn't crash. At one point, it used to just die on me. They've also fixed the window decorations and ramdom icons in the left toolbar, which used to become weird on mouse over.
There's also something else odd going on with the app. When I start it from the start menu, there's a very long lag between my pushing enter and the start menu going away. This happens every time I start outlook after a fresh boot, but doesn't happen with other shitty apps, like New Teams. For those, it disappears right away, even though the app doesn't start up instantly. It doesn't matter the order in which I start them, nor if I only start Outlook after the machine has been running for a while.
pro-tip - just try to use an old version of outlook that's still functional like outlook 2010 and just set autoarchive to run pretty often so the ost doesn't get too big and make the thing crawl...
much better than nuOutlook
though often hard in most corporate environments...
that said, if I were in a more buttoned up IT environment, I'd just use the web client as it's sadly faster than the desktop client these days
I'd use the web client now except the version my company has is pretty bad and old still...
> that said, if I were in a more buttoned up IT environment, I'd just use the web client as it's sadly faster than the desktop client these days
I'm not in a "buttoned up IT environment", but I still prefer the web client. It actually works great on Firefox on Linux and is way snappier than local outlook ever felt.
I might be out of touch with security nowadays, but could there be a reasonable explanation on Microsoft’s part here in that they wanted to try and help prevent the dime-a-dozen malicious attachment attacks that we’ve all heard about? Don’t get me wrong, I’m no stranger to Microsoft’s strategies— opt-out telemetry, Cortana, bing search in the system tray, etc. It’s not all fueled by just this one particular propriety that I brought up, I know it’s also got a lot to do with their way of pushing their products onto their users with annoying opt-out (at best) features that everyone might not want, that serve to push whatever it is they’re trying to sell to their users.
Point is, at least this specific gripe, for what it’s worth I can see some valid justification for. And if this is new behavior that they intend to stick with, I wouldn’t be surprised if they did improve it over time (although I also wouldn’t be surprised if it stayed as much of an annoyance as you described— bing search in windows remains an unchecked crime against humanity to this very day!)
The emails are user facing. So if, say, the ISP were to detect Microsoft servers connecting and serve them back a mailbox with a single email in it instead of the user's real mailbox, then the user would open Outlook and see just a single message. Ideally non-threateningly titled "MICROSOFT HAS STOLEN YOUR PASSWORD" and containing clear instructions on how to switch back to direct IMAP.
Also, no idea why rebuilding outlook in what can be argued is an inferior technology for a desktop app could be considered a good idea. I can imagine some advantages in consolidating the web and Windows code base, but I'd say that's already a fluke - web and desktop apps are not the same nor I expect them to ever be (and should they?? Look at your phone and ask yourself if you'd prefer all your apps ported to the browser).
New Outlook lacks many, many features it predecessor has, like hot keys and viewing options. It doesn't support multiple languages, a must for someone who isn't American but works in a global company. And yet they push it as if it was an improvement.
Whoever made the decisions on this should rethink their career.
This will happen naturally as users change their credentials on server but not on outlook. Outlook proxy will try wrong password for 5 or so times and will get their IPs banned. This will affect many more users using the same server.
This will generate tickets for you and you will direct them to use plain local IMAP clients instead.
This whole idea at Microsoft was clearly forged by someone who has never served mail and is bound to fail as it trips standard security practices present for decades.
It's because IMAP is not very good for disconnected or mobile operation, and if you're willing to put a server between the on-device client and the IMAP server you can do much better at the cost of sharing credentials and content with the server. Not a new idea, mobile mail systems going back to Danger, BlackBerry, Good, etc have done this and probably there was precedent before that.
Client authors try but there are still IMAP protocol design choices that cause issues with sync reliability, bandwidth usage, lack of push, etc. You can read the JMAP design rationale for details, they cover it all pretty well. Security issues with middle boxes are well known too, just ask anyone who's worked in IT security how they feel about BlackBerry Enterprise Server. I think it's possible to build something similar in a better way by isolating the middle box bit and putting it in a more controlled environment like AWS Nitro where the client gets boot attestation and the service provider sees only a black box they can bill for, but this would require getting Apple etc on board to modify their clients.
My recent experience with New Outlook was that it forced the change every month or so and I had to disable it and restart it to get the old version back. There was no setting to stop this, I looked a lot
You may have been too late if you've only been doing this recently. Outlook for Android has been doing the exact same thing for years (which I was quite surprised and upset to find out about at the time).
It's a shame, because like many Microsoft apps, the Outlook app isn't half bad if it weren't for the disgusting privacy violations.
Curious, you are email host for what? If it is a corporate entity, can't you control devices your employees can access mail from or what client is whitelisted? If it is public, why do you care where is the mail server hosted.
I agree that changing an app from offline to online, without appropriate messaging is wrong. But, it is not different from how Gmail works as a mail client.
You're looking at it wrong. As an email host, you surely have an agreement with your clients that they will keep their credentials secure and not share them with anyone. If you discover that they have, then they have wilfully compromised the security of the service you are providing, and you should immediately invalidate their credentials and contact them out of band to explain that you have acted to protect their account.
The credentials only give access to the users data so they damn well should be free to give those credentials/data* to whomever they please. Keyword give, Microsoft shouldn't build a de-facto keylogger.
* Ideally they should be separated like through OAuth, but that isn't an option for an ancient standard like IMAP.
This is the horrifying core issue: "When creating an IMAP account, c't was able to record that the target server, login name and password were being transferred to Microsoft's server. Although TLS protected, the data in the tunnel runs to Microsoft in plain text. Without informing or asking, Microsoft grants itself full access to the IMAP and SMTP access data of users of the new Outlook."
To be clear: this is for accounts not hosted on Microsoft servers. They likely copy all of your existing mails to their servers, and any future mails sent or received also run through their servers.
This shouldn't be just a fine. They exfiltrate a users credentials for another service without explicit consent and intercept a confidential communication channel between the user and their mail provider. This is straight up criminal behavior and should lead to jail time for the responsible person.
Because Europe heavily depends on the US for its defense and because most of MS is by now an extension of the US establishment from a strategic pov (the dividends and the profits still go to MS’s private investors, many of them Americans, but that’s not what the US establishment is really after)
If anything, the fine would be at most a symbolic gesture.
Just think how would hell have broken loose if the same practice had been carried out by a Chinese company or even by a Russian one (such as Kaspersky, let's say).
When combined with the rate limiting on 365 email api and ultimately removing imap access this seems like a strategic goal to capture our data.
The dark patterns pushing content to one drive from office apps and web access opening attachments and keeping them in one drive is another example of this data grab.
It’s an example of shareholder value trumping customer value, the primary purpose of cloud is to make you pay more without having to provide more in return.
> When combined with the rate limiting on 365 email api and ultimately removing imap access this seems like a strategic goal to capture our data.
While I agree with your other points, I'm not sure how this one works. If you're using Office365, you're already having your mail at least go through their servers. What difference does IMAP make to their snooping intentions?
This attack targets people's personal accounts. Many people have Office 365 because their work requires it, so they have to use the Outlook app for that. So if those people then choose to add their personal account to the same mail client, Microsoft can also snoop on the private correspondence of their captive corporate audience.
The majority seems to like one-drive. In theory having everything in one place sounds great. Few people think long term. Customer value trumps customer value if you ask me. IT departments and clueless users love MSFT and that will never change. Embrace it.
Yes, but mostly internal corporate emails, stretching back decades, with most of the content about how to violate user privacy using various sneaky schemes. I wonder what kind of A.I. would result from training on such content.
Microsoft have run hotmail/outlook.com for decades.This is a service used by hundreds of millions of people, I would guess mostly non corporate. I think they have more than enough personal email data to train on if they wanted to.
Does the crystal ball say anything about what’s going to happen if Copilot or Bing start revealing non-public information to anyone who asks? It’s bound to happen if they train on non-public information. Imagine Microsoft accidentally releasing other companies’ corporate strategies and proprietary internal tech, or people’s personal finances and private social interactions. I would foresee both major litigation and government regulation coming down pretty hard. I would also expect a dramatic migration away from the product if something like that came to light. I honestly hope they’re smarter that this- training on data without explicit permission is already one of the biggest problems with AI efforts.
You use public data only for your external-facing products like Copilot and Bing.
You use all data, public and private, for your in-house skunkworks LLM-AI used by vetted, NDA-bound staff and execs.
Bing won't be able to answer questions like "What are the monthly active user counts for CoolService LLC?" or "What are the manufacturing processes used at Gadgetmaster International?" but maybe DarkBing will.
Even if LLMs aren't good enough to deliver those answers today, they might be in five or ten years, and in the meantime you want to fill the pool of data you're going to feed it.
Cynical speculation? Yes. Eventually possible? Maybe...
I'm not surprised to be honest because the 'new' outlook is simply the old office 365 version of Outlook Web Access in an element wrapper. They don't seem to have added local storage or local imap support but they simply sync your mail into their cloud instead.
I wouldn't be surprised if this is a ploy to offer users a 'migration' to a paid office 365 subscription later.
The old windows mail was ok even though it wasn't very full featured.
I can't wait for a "Mail" app that can't be properly removed, and keep restarting itself with the computer just to nag you to upgrade from the tray, like they did with One Drive.
This. I hardly understand Linux but I tentatively switched to xubuntu in 2017. Ever since, I only boot windows once every 3-6 months for some proprietary software.
It's an amazing feeling when your OS isn't insisting left and right on behavior you don't want.
> It's an amazing feeling when your OS isn't insisting left and right on behavior you don't want.
Yepp, I get this confirmed every so often when I need to boot/install Windows. I will not deny Linux has issues, but so far these issues could be solved or at least worked around. They can be frustrating at times, but at least they tickle the problem solving and learning part of my brain instead of the part reserved for unreasonable anger.
And an advice for anyone new to Linux: Use KDE Plasma (preferably Kubuntu or Debian). Afaict they are the future of Linux (on desktop and mobile) and already better than Windows on desktop. Better in all 3 ways: grandma-friendliness, for corporate/academic/work and for the power-user.
Literally only 2 things lacking right now is those 3 last game titles left which can’t run via Steam/Lutris and those corporate Windows apps which I prefer to run in a VM (virt-manager).
HDR gaming is the only purpose of my Windows drive anymore. Fingers crossed that Valve has a simplified Linux HDR implementation that desktop users can utilize once the OLED Steam Deck releases
That's how Outlook on Mac already works. It forces "New Outlook" every time there's an update, and you can't avoid the switch. Worse, even when you switch back to "Old Outlook" it used to mess with your settings.
If this is now simply a way to refresh the snagged IMAP credentials so they can ready your email, then it explains a few things.
Stop using Windows.
It is foolish to assume that any data on a Windows machine can stay out of the Microsoft cloud.
E.g. Microsoft Edge on first launch can import bookmarks+stored passwords from Firefox (AFAIK without any user interaction, unless I clicked without thinking), and it also defaults to uploading this data to the Microsoft cloud (unless you're using a local account?).
Yep, I finally made the cut after they by default hijack your filesystem to onedrive. They can literally delete offline files.
I was utterly shocked to find Linux Desktop has more uptime than Windows. Windows forced updates caused so many issues dealing with autosaves, I was spending like 5-10 minutes per day reopening all my programs for work.
Those random linux annoyances you need the terminal for? I had like 1 or 2 of them during month 1, solved faster than a single Forced Windows Reboot. Fedora been flawless 5 months later.
The only terminal work I do is opening ports for my kid's games. It really is the year of the Linux Desktop. Its utterly shocking to me I'm saying it, I was a hater for so long.
I couldn't believe how much better the GUI had come in years as well.
Around 2020 i tried a new work laptop with Ubuntu and was blown away. Without any fuss google meet worked in FIREFOX with full webcam audio support on a dell xps.
Just to compare I went to the ms teams site, and of course it couldn't even get off the ground with firefox. "your browser isn't supported."
it was obvious MS was/is crippling it artificially, and then it dawned on me, i just had my year of the linux desktop.
> Those random linux annoyances you need the terminal for?
Generally, if you want hardware that you don't have to fight, the only option is to buy computers with Linux preinstalled, with support. Modern computers are sufficiently complicated that they really only can support one OS. And, for consumer hardware, they even half-ass that.
That's not accurate. Most hardware works out of the box with zero config on all the major distros. There are always some machines with unsupported hardware of course, but it's more the exception than the rule nowadays. This is especially true if your hardware is at least a year old.
I would say that "Generally", it's not a thing you need to worry about. If something isn't working, it's probably a configuration issue on your side. The easiest way to avoid that is to pick an immutable distro like Fedora Silverblue, Suse MicroOS, and soon Ubuntu Core Desktop. Combine that with Flatpaks, and you pretty much never have to touch a terminal or worry about a broken system.
It was that Fedora didn't have some video codec that reddit used.
I googled it, it was like copypasting 2 or 3 commands, then I could watch reddit videos.
I can't remember the other bug, it might have been an ID10T error.
Can't even blame Linux for that, I have to install way more stuff to make Windows work out of the box. Fedora weirdly has lots of stuff already installed.
You can try to find the computer you want to buy over here [1], and see if there is any hardware incompatibility issues.
Generally, at this point, most hardware lines are supported. If there are problems, they are with new state of the art GPUs, some weird new modems or fingerprint readers. Generally, your mom won't be requiring those. If you are buying for yourself, just pre-check if there are linux drivers for each of these.
I use Windows for work because that's what corporate likes. But at home I've been running only Linux on laptops and desktops since 2006. In 2020, I switched my mom's home computer to linux. It's been a joy.
Why does anyone use Windows at home anymore? I guess gaming is still an issue?
I can get that. FWIW I have been maintaining a 86Box image of Windows 95 with Windows Entertainment Pack (including Jezzball and Skifree), the Arcade set (Asteroid, Centipede, Missile Command, Tempest, and the tank one), Pinball, and some other stuff. Those are a bit dated at this point. I haven't played Descent II in years.
Er....no?
Though i do spend an inordinate amount of time closing as many holes as possible.
Unfortunately, windows is ok. The telemetry, ands and other bullshit is embarrassing but the software i run is on windows.
Tried Linux, various ones, but I spent more time messing about that (software didn't cut it, drivers were an arse for audio, graphic setup was strange) it was a relief to go back.
Linux reminds me of w3.1 and all that memory allocation bollocks just to run a game.
I choose my lazy acceptance, combined with 'as much as I can do to protect myself', over beating my head over a whole operating system that doesn't cut it for what i require.
I won't entertain macs as i trust apple even less (for being closed).
Some while ago, there was a bit of backlash over their re-design, but after actually using the more recent versions, I have to say that they did a good job - you can toggle the display density of the UI elements and it's still a good mail client with reasonable performance and usability.
I can even sign e-mails with OpenPGP and did you know that it also has a built in RSS feed reader (a bit clunky, but having news sites/blogs be a folder that's right next to my e-mail accounts works brilliantly well)? In addition, I have it both on my Windows and Linux machines, surprisingly consistent across the board.
Honestly, I couldn't be happier. Maybe also Roundcube hosted on VPSes for my own development mail servers when I don't feel like adding bunches of accounts to Thunderbird, but it's really nice that there's software like this out there in the first place!
There's a small command line tool around (can't recall the name, sorry) to convert message bases and contacts from Outlook format so that they can be imported into Claws Mail. I once did that at a workplace where they were having all sort of problems with Outlook and a fairly big mail archive and saw people dropping their jaws when looking at the difference in search speed. Give it a try.
If, like many of us, you work in an org that refuses to authorize Thunderbird or anything else for IMAP+Oauth2 to Exchange Online then there are no other solutions. Outlook is e-mail, e-mail is Outlook.
The online school I’m attending is like this with its email. My options are to run the Outlook for Mac desktop app (which oddly seems to be a different beast than “new” Outlook on Windows) or keep Outlook webmail open in a tab. Not even Apple Mail via its Exchange support is permitted.
I ultimately landed on keeping the desktop app open to reduce browser clutter and for the icon notification badge so I don’t miss any important emails.
This is what is so annoying with companies these days. Microsoft has them by the #%!!$ and they’ll continue taking all the productivity loss and other risks just so someone can check a box and say “We trust in Microsoft to manage this, and we’re off the hook.”
There are solutions like the Owl extension for Thunderbird, but that’s for the adventurous ones who want to take risks.
I use eM Client and I recommend it. It works super good, no issues with GMail calendar, Exchange server or any other weird quirks like Thunderberd (used to) have.
The disadvantages are that its paid (one time payment) and Windows only (no linux version).
Windows now directly offers OpenSSH and a decent modern terminal app, so while PuTTY still works it’s no longer necessary for accessing mutt over SSH from Windows. Also with WSL you can also run mutt locally on Windows within a userland Linux distro like Ubuntu or Debian.
This is honeslty my favourite thing about windows in recent years. Now that you can just fire up native windows terminal and type 'ssh user@host.com' it has saved me so much time, and probably downloads for putty have dropped considerably as well.
I switched to Mailspring a year or two ago and am very happy about it. It's based on electron so here be dragons, but does the job quite well. It's simple and basic and no fuss while not being an eyesore. Basically, a clone of the Mail app on macOS.
I've tried to use Mailspring a couple of times on Linux but apparently server syncing is still broken after 5+ years[0]. Until it works reliably I'm stuck with Thunderbird.
Well, two counter-points: 1. their TLS implementation isn't secured against MitM attacks. 2. They receive the the full plain text password, not a a hash.
Not sure if it's apparent from the English version of the article, but Heise performed a successful MitM attack to extract the plain text password from the daa stream.
You're correct it's necessary for how they use this, to impersonate a user and 'clone' their email data. But then, that is the problem, they shouldn't be able to do this at all.
Okay but the existence of a problem does not change the simple fact that it's encrypted. So many people arguing against this point out of some misguided sense of fuzzy logic.
It is encrypted in transit, but Microsoft is on the receiving end of that transit and gets the plain text password. The encryption does nothing to prevent the third party, that is Microsoft, from impersonating the user and reading all their mail.
sigh It's literally encrypted. You can try to derail the topic, but we're arguing about a very simple fact here. It's either encrypted or not. It's not complicated.
Yes, it is literally encrypted in transit. This encryption, however, does not offer any value in protecting the user from microsoft stealing their credentials, because microsoft is the recipient of that encrypted message and is able to decrypt the credentials and therefore has access to the plain text password.
Just like this comment I am writing is literally encrypted when it is send to HN, and still everyone can read it.
Okay, I thikn the problem is, when someone says that something is "sent in plaintext" that usually means that it's interceptable. However, in this case, maybe, the author means that "it's being sent in a form that they can use, not just being stored like LastPass or something". Of course, the entire point of the article is that it's being sent in a format that they can use to connect to your server, so it's a strange statement to drop in the middle of the article.
First of all, the article shows that it is indeed interceptable (although they didn't mention which additional steps, if any, were necessary to achieve that).
And yes, the issue is obviously that it is send in a way that microsoft can (ab)use.
> [...] tunneling [through an encrypted channel] back to their servers in plain text
Seems pretty clear to me. The message that is send contains the password in plain text. Any encryption that is applied in transit is absolutely irrelevant and meaningless. Just microsoft receiving the credentials is only marginally better than anyone getting them. In both cases the account will be compromised.
You're free to throw away the common-sense definitions for things, and substitute your own, but I'm going to call you on it, and you shouldn't expect people to do otherwise.
I did not throw away any common-sense definitions. I never denied that the message is sent encrypted, i.e. is encrypted in transit. That is entirely irrelevant here though, since MS will be able to decrypt the message because they specifically are the recipient of that encrypted message and therefore will have it in plain text. If you do not see a problem with that you are free to comment your mail credentials here; they will be encrypted so that shouldn't be a problem, right?
It is not entirely clear to me from the article that this is the case. I'd assume that they had to at least install their MitM certificate into the OS's trust store to intercept that message. If not then this is indeed even worse.
It would make it harder for them to impersonate their users and read all their mail. I would still be concerned that they want to run a rainbow table attack against it though. They should not steal user credentials at all, because it is simply not necessary for a functioning email client.
They would use the hashed password to login to the server, using something like XOAUTH2. That’s the point of the hashed password. It accomplishes nothing other than revocation, which can be done already by changing your password.
What you are referring to is called an access token and has nothing to do with hashed passwords. A hashed password cannot be used directly to authenticate, otherwise it would not be a hashed password, but just a password (or access token, which is the same really).
I don't understand how hashed passwords got into this discussion though. My point is that microsoft should have no way to authenticate as an outlook user against their third party mail provider without the user explicitly giving them permission to do so and what they do is strictly unnecessary to provide the functionality of an email client.
I filed a GDPR complaint regarding this when they released it on Mac, because it is not transparent what data Microsoft stores when you stop fetching email over their Exchange proxy. This was their response, after 3 months...
• How long is mail data fetched from the non-Microsoft server retained? On 31st day of user inactivity we mark the account for removal. The account is soft deleted, and the data is purged within a week (approximately) after that.
• What happens with an account that is no longer being used? Does the service continue fetching and “enhancing” mail data or does it happen on demand when a user opens Outlook? - If the user is not signing into the 3rd party accounts using outlook mobile, Teams for life or Outlook for Mac. We stop syncing any data after 7 days and mark the account for deletion after 30 days.
• How do I know what data the service holds? - Service holds Mail, Calendar, contacts data and profile data for the user (User provides consent to collect this data during add account flow).
• How can I make sure data is no longer retained? (e.g., does logging out from Outlook delete the mail data and credentials?) - When removing the account in Mac you can choose to "Sign Out On All Devices" which deletes the mailbox from the Microsoft Cloud (Exchange-backed mailbox where the third-party account is being synced).
I also filed a complaint about not making it clear if data is required for processing (Article 13, Section 2(e) [1]) - but the supervisory authority ignored me on that one.
To call the "new" Outlook a horrible piece of software, would be an insult to actually horrible pieces of software. They're one tier below that, wherever that is.
The fact that this is acceptable, in their narrow minds, is insane
"Although TLS protected, the data in the tunnel runs to Microsoft in plain text". What? Not sure if this is a mistranslation but this makes absolutely no sense. TLS is encryption. Why would they further encrypt it "in the tunnel"?
What they are talking about is that your passwords are uploaded via HTTPS/TLS, so an encrypted connection, but what they are sending are you full passwords in plain text over it.
TLS is only transport encryption. The password will be transmitted in clear before and and after that transport.
This is not at all comparable to other "store my passwords inside the cloud"-systems, where the passwords are encrypted and decrypted on the users' devices, without the encryption key going to the cloud provider - that's the way it's handled in Password Managers, Chrome Auto-Fill etc.
And I would expect Microsoft asking the user for explicit consent "May we take your IMAP password and transfer it and store it in our cloud?" in easy to understand wording so people understand the consequences (for example getting fired for having punched a gapping hole into your employers security policies like "Don't share this password with anyone")
That expectation would match the law in the EU.
And in addition, inside the EU it would also have to guarantee that the password will only be stored on servers inside the EU, and not end up, for example, with the NSA. And even then it still might not be legal.
And from a user's perspective: Certainly a big chunk of users that have been using email software for the last decades would assume that an email client installed on your PC is doing the IMAP access locally. There is no need for your IMAP credentials to go to Microsoft. Merging your local mail store from multiple sources inside the client is what email clients have been doing for the last 20 years. There is absolutely no need to move this to the cloud. Yes, my computer can handle merging email folders.
Also, the credentials have to be stored in plain text. M$ servers cannot auth with your IMAP host with a password hash, so they must be saving the plain text password somewhere which seems absolutely crazy to me.
No, that's just wrong. They can store these credentials encrypted with algorithms such as AES-256. No need to store them in plain text.
This is actually standard security practice when you absolutely have to store a key in a way that you can use it later, such as a password or an API key.
IMAP supports a multitude of authentication standards, including hash and key-like, so the above is not necessarily true, however it is unlikely that Outlook supports them.
Client certificates are supported by both Thunderbird and K9, would prevent this type of issues.
In the cloud first era, your value is derived from how much customer data is under your control. Not for resale primarily but for stickiness. It's like the dot com era, only for real this time.
I would expect that my local e-mail client is making the connection to my IMAP server. Not a connection to Microsoft servers which then in turn connect to my IMAP server.
I would expect them to at a bare minimum encrypt it using a temporary public key before transmission, in case TLS connection was MITM'ed, and I'd expect them to use those fancy hardware security modules (HSM) they have[1] to protect it on their side.
It doesn't matter how well they protect it, they still have the credential, and they decrypt it in order to be able to use it, so for all intents and purposes, it's in the clear _for Microsoft_ (and whoever else manages to have access). This is not how it should be.
It’s encrypted between the starting point (Microsoft) and your ISP.
Microsoft is the “client” in this case and just like you can read your email in Outlook or Thunderbird, MS can read all of your email that they pull over from you ISP.
Yes I know but saying TLS is 'plaintext' is completely silly. It's like saying your credit card number is transmitted in plaintext when you do a TLS ecommerce transaction.
I do understand the point that the article is making, but implying that TLS is equivalent to plaintext is just plain hyperbole. What else can Microsoft do (assuming they want to do this feature?). Encrypt it again on the client side, then put it in the TLS tunnel? It's just double encryption at that point. They need the password
FWIW the amount of users still using unencrypted IMAP is often pretty high in outlook or apple mail. Now that is a security issue. Try using a wifi packet analyzer at a large conference. I bet you'll see multiple or even dozens of plaintext IMAP passwords going thru the air.
Definitely scummy behaviour but it's funny how someone always has to bring up EEE and try their hardest to contort whatever the subject is to fit within that definition.
Back in my day we just wrote Microsoft with a dollar sign for an S
Microsoft has supported IMAP for decades. And, even today, they're nowhere near the top of the heap in email control.
So what exactly is the goal of their master plan? They stop using IMAP for their Hotmail and Outlook.com accounts? Big whoop. The mass of people on Gmail and icloud.com/me.com services will just download one of a dozen other apps. And then just slowly stop using the outlook required accounts; unless mandated by their companies/corporate offices, wherein they just run two clients.
EEE was a policy Microsoft had when it gained monopolistic position in a field. It's misguided and inaccurate to try to apply it here.
The antitrust "stuff" disappeared very quickly, 23 years ago, when George W Bush was elected President and his administration wasted no time in stopping the imminent harsh ruling against Microsoft in its antitrust trial, giving them barely a slap on the wrist, compared to the much stronger penalties they were undoubtedly facing (it was not at all unrealistic at that point to be expecting them to be broken up in some way).
Recently, Biden's administration has started changing the federal tune on antitrust, formally rejecting the intellectually and morally bankrupt Chicago School interpretation that has hobbled all antitrust efforts for decades. That's why we're starting to see some real antitrust cases again.
Privacy wise it's distasteful but it does work around a lot of IMAP's problems which still don't seem to have been fixed in the ~20 years that they've been known about...
There are no such IMAP problems, at least ever since IDLE was a thing (which arguably you could argue may have not been a thing up until the 2010s, even if it's technically from the 2000s).
It's just all political bullshit -- the same reason you can have decent IMAP clients on Android, but you can't on iOS (they have to resort to tricks like this), except if you're Apple.
Yes. But you're going to have a unique TCP connection per host, at minimum.
Unless I'm misunderstanding the problem you're raising, it seems like a non-issue for the majority of people with multiple accounts (a work email, a Gmail, a hotmail; for instance).
A unique connection per host isn't too bad. But I have 12 connections for each of my desktops and laptops and phones and tablets...
As you say the problem is somewhat caused by Apple ~~and Google~~ forcing apps to use their proprietary notification systems so that e.g., mail can be checked while a phone is idling. But the end user does not care about the market abusing power of the monopolies--they wants instant notifications when they receive mail...
Google is _not_ forcing, only Apple is. This cannot be emphasized enough.
You can still perfectly have dozens of background TCP connections idling on Android with no issue. The only caution you need to take is to synchronize the keepalives (otherwise the radio may take stay on for too long, hitting your battery life), but this was solved back when Android was still Danger.
As evidenced by the power analysis of IM apps that was here on HN a couple weeks ago, there is no discernible advantage to using Google notifications versus just keeping your multiple TCP connections idling in the background: Conversations is a Jabber client which does the second and was practically the most power-friendly client of the entire Android ecosystem.
> A unique connection per host isn't too bad. But I have 12 connections for each of my desktops and laptops and phones and tablets...
It's host<->host unique. So, assuming your email server allows enough keepalives, you're fine with multiple devices.
Where you might have an issue is if you have multiple accounts on the same server (not even the same service, necessarily; Gmail, hotmail, etc have a plethora of servers) and connect to them via the same device.
The most critical is probably 1. It feels like gross negligence that Linux doesn’t dominate schools already. What could be more appropriate? It’s so educational and empowering, and a great model for much more in society.
In fact, it may not be an exaggeration to say: the only plausible explanation why Linux isn’t dominant is corruption.
Libre Office is just... not there. Something is seriously wrong with it.
Anyway, Linux Desktop is ready for the mainstream. I can typically get away with Google's suite for Office. All of my workflows work fine with Linux, and I have hobbies from 3D printing to electronics to writing to creative work.
Do you have a non Excel recommendation for Linux? Excel is the one reason I use Windows other than games. I've tried Excel on OSX and hated it every time. Some of that is due to different key shortcuts; most of it is due to subpar functionality and performance. It may have changed; the last time I tried was over a decade ago.
For most users, it’d be nearly perfect, hiccup-free compatibility with Windows software and a desktop experience that is identical to that of Windows wherever practical so there is no learning curve. In other words, when users can’t tell they’re not using Windows.
Anything less won’t move the needle, at least in the short term. People don’t like change and they don’t like thinking about their tools. You see this even with macOS, where switchers only put up with learning because there’s immediate tangible benefits like long battery life and reduced heat/fan noise acting as a carrot, and even then sometimes that’s not enough and they end up falling back to Windows.
Everything will run in Azure and all apps will be web apps. You can count on that. This is a clear strategy from Nadella and I doubt anything will change his mind.
Turns out, if you are using an Oauth2 backed service (G-mail) or something like iCloud - then you are fine. It's only for local IMAP accounts (think: your ISP email account) where you type the password directly into the settings that Microsoft is doing this.
Doesn't make this any better- but before you worry that MS has your Google account password, they don't.
No. The dirty secret is that OAuth tokens, JWTs and whatnot are just as bad as passwords and cookies in terms of credential theft, the difference is only in built-in expiration and scope.
No. A bearer token (which almost all credentials are) doesn't say anything about the device that is using it.
The sole exception are tokens tied to a device's HSM (TPM, Secure Enclave, TrustZone, ...) - you can't clone these onto another device.
ETA: to expand a bit... passwords, SSL client certificates, JWTs, tokens generated after a SAML assertion, they are all fungible bearer tokens. A server has no way of verifying if what is presented to him is originating as an intentional act of a user, or if a malicious third party has duplicated the token somehow and is using it from somewhere else. An attacker can act just the same as the user themselves can. A HSM-backed token, i.e. having the server send a preflight challenge value, and the client HSM signing that challenge together with the token to send back with the actual request, at least proves that the request originated from the device expected to be in control of the user. However, such a scheme comes at a high cost - the user needs to be in possession of a capable device, the HSM needs to be secure, and doing preflight requests to obtain the challenge adds considerable latency.
I didn't get such warning when I connected Outlook to my Gmail.
But I had to click accept on the Google form requesting my permission to grant Outlook access. So I was informed when the app was connected.
I'm not sure how you would count "new device", since that token is going to be used by a random Microsoft cloud server, potentially different every time.
Wouldn't it just use the credential from client to directly connect to the service instead of going client->msft->server?
You need a token to authenticate, but the client software (Microsoft here) doesn't ever need to send that data to themselves to successfully auth.
Sending themselves the auth credentials does allow them to then use it on their servers in ways that your client device may not want to (e.g., excessive battery drain) or can do (loss of network). But it then also allows them full access anytime they want and complete control of your data for whatever they want.
> But it then also allows them full access anytime they want and complete control of your data for whatever they want.
95% of people use webmails from Google, Microsoft or Yahoo. They already have complete control.
Sure, Microsoft should make it much more clear what is going on with the passwords and cloud email, but all things considered, nothing really changed for 95% of people.
And if you don't trust Microsoft with your email, but are using this Microsoft mail app on Microsoft Windows, well, that's again weird.
While it's probably not many companies that works this way, and use Outlook, I do wonder what happens if your IMAP is on a closed network.
It is completely possible to have SMTP and IMAP be on internal networks and not on the internet (SMTP obviously needs a way to rely to a internet connected buddy).
Apple has also started to try to get users to switch to their Mail app, at least on iPadOS. Every time I switch gmail accounts on the web UI in Chrome, I get a popup from Mail asking me to set the account up in Mail.
I only use Knock-OutLook for Microsoft accounts. They have my password already, so no lost security there. Synchronizing email accounts is useful, but I never thought worth the hassle before or after Outlook.
Sorry I can't read german but do I understand properly that you give your gmail password to outlook (microsoft) and you are surprised that outlook does whatever it likes with the password ?
I think it's a surprise that that password is going off device. The default mail app traditionaly and sensibly is a local only client and and "sync" features have not behaved in this fashion in the past.
It’s funny but anyone who’s ever used Gmail’s “Accounts” tab on its options page, has voluntarily given Google their passwords to keep forever.
Now Microsoft wraps their web UI in a “native” app and everybody loses their mind.
It’s hardly unusual for an internet-connected app to be at least partially run in the cloud in 2023. Much less unusual when it’s something related to MS365 and AI (one of the banner features of this new release)
False equivalence. In one case, credentials are deliberately given for remote use. In the other case, credentials are expected to be used for a direct connection, but are instead taken for remote use.
One is an explicit delegation, while the other is a man-in-the-middle attack.
I don’t think so. Remote or direct is only something we think about. The general user could not care less nor know the difference. Hardly a false equivalence.
I installed the new Outlook just a few days ago and I almost immediately started to receive emails like "I recorded you, pay or I'll share your files with everyone" on my customized email address. I thought it was a coincidence but now I am beginning to have doubts.
German IT magazine has uncovered that with Windows 11 Update 23H2 if you accept the "recommended" new version of Outlook the client may be uploading your secret IMAP credentials to the Microsoft cloud.
If you are trying to add a "local" IMAP/SMTP account, there is short notice that Outlook needs to "synchronize" your IMAP account with the Microsoft cloud.
It does NOT explain that what this actually means is that it will send all your credentials including your passwords in clear text to Microsoft.
Microsoft's support document to this also only mentions:
"Syncing your account to the Microsoft Cloud means that a copy of your email, calendar, and contacts will be synchronized between your email provider and Microsoft data centers."
No word that it means that they are uploading your passwords.
This is evil. And at least in the EU, illegal.
I have not yet found any report on this in english-language IT media, and therefore have provided a Google Translate link to the report in German.
Yeah, it's true. c't magazine is the biggest IT print publication in the EU, and is highly respected and known for investigative journalism. It looks like the pictures provided which show what they captured is sent to Microsoft (your passwords in plain text) aren't shown if the page is viewed via Google Translate.
It is not stealing anything because you get a dialog asking you for permission to do it. If you give someone permission to take something, they are not stealing it.
> It is not stealing anything because you get a dialog asking you for permission to do it
That dialog talks about sync but notably does not mention credentials at all.
Surely this is instance where informed consent is needed, with full disclosure of what's going to happen.
Something along the lines of: "this means your IMAP username and password will be passed to Microsoft where we will store it indefinitely so we can regularly log into your IMAP server to sync your messages".
Of course, users are less likely to consent if you explain exactly what's going to happen...
I genuinely don't understand how you can come to this conclusion.
If I open the door to someone and allow them to take picture inside my house, there is no legal understanding that they are now allowed to make and keep a copy of my keys.
The understanding is that I allowed to take the picture (make the sync), through the access that I gave (door opened / imap connection made). And the underlying understanding is actually that I remain in control of access later on, meaning they can't do it again without me opening the door / connecting again.
Microsoft knows that, because they buried that information inside the webpage that the consent dialog links to, except the dialog doesn't say "important detail there" but "for more information see there" aka pretend the dialog's summary is correct.
If anything, coupled with the awkward Outlook (but not Outlook) naming this is one more of their modern move that will piss off entreprise IT admins. Your employee opens the "wrong" outlook, type his office credentials and then Microsoft now has outside of your corp account a copy of all data of that employee AND its credentials. If there was any actual real competitor in their field they would never be able to pull such crap.
Well, the consent item is "sync" and that translates in your sample more to "you consent to let them take pictures of your house whenever they want". And for that, a key property is the username (or your house key). Otherwise, "sync"/"taking photos any time" would not work. You could argue that "sync" could be considered 1-time sync or permanent sync ... but honestly we talk about IMAP and a permanent connection to fetch Emails. Let us not assume we talk about a one time "sync".
And yes, I agree that Microsoft buried the nasty password detail with the purpose of not disengaging the users. I also think that anything data privacy related, normal users are completely overwhelmed with no chance to ever understand the situation.
I share your thought about replicating passwords. Not to the concrete worry you express but that it is a really bad practice compared to industry practice (see OAuth2 refresh token).
Well, they consent to the fact that data is "synced" to Microsoft. That is the use case and the consent-able item. The password is just a random property of that item. And that is literally on the screen. That is broad but that is how privacy topics are generally handled.
No, they are not. GDPR notices (which this is) must be understandable to the layman. Including all consequences like "this will also allow access to other services secured with the same university/company-wide password".
The German law you cite about getting a password is applicable if you plan to or actually access data they are not authorized to. Which is not the case (assuming they do not).
GDPR deals with privacy. The user name is personal identifiable data. The password is only personal data. The emails themselves can be PII or just personal data. GDPR legally wise, the password is the least risky set of data here (as absurd as it is). Also it is a property of the process. Take a GDPR sheet of a club about giving photographies of your kids to the newspaper. You consent to the publishing of images and give the club data for it (first name, last name, restriction, name of parent, etc). And these properties are not mentioned in the consent but just are part of the process. This is nothing else, just that we are very worried about that the property is a password.
I agree that they should ethically mention that they transfer your password. I also agree that there is no way a layman can understand any consent they grant on the Internet. There is a reason why informed consent in clinical trials (where this can be life and dead) is not just a checkbox but a conversation, quiz, explanations, etc.
> The German law you cite about getting a password is applicable if you plan to or actually access data they are not authorized to. Which is not the case (assuming they do not).
Usually this is the case. The user and Microsoft are not the only parties involved here. The Email provider is also involved in that they provide an email account, often e.g. for work or educational purposes. In those cases, handing over account credentials is forbidden by the workplace or educational institution, providing other people such as Microsoft with access is usually forbidden as well. Other commercial email providers often have similar rules. Therefore either Microsoft is doing unauthorized accesses en masse (since they do know that the aforementioned clauses are widespread common practice) or the users are illegally providing access to Microsoft.
> GDPR deals with privacy. The user name is personal identifiable data. The password is only personal data. The emails themselves can be PII or just personal data.
There is no such distinction in GDPR. There is only personal data according to GDPR article 4. A password is personal data because it is "personal" in that it can be (and is almost always) tied to a person. "PII" is something that only occurs in US law. The definitions are different, "personal data" in GDPR is far broader.
> GDPR legally wise, the password is the least risky set of data here (as absurd as it is)
Depends on what else is in that Inbox and what else this password can access.
> And these properties are not mentioned in the consent but just are part of the process. This is nothing else, just that we are very worried about that the property is a password.
Interesting idea, and yes, GDPR allows for not informing the user about what the user already knows, i.e. a kind of implicit consent. However, the surprise that even experts on HN show about this news demonstrates that the average user doesn't know. So this doesn't apply, Microsoft should have explicitly informed and asked about permission to use username and password.
The dialog talks about needing to synchronize your email account. It then goes on to tell that contacts and events are not synchronized. No one will reasonably suspect your authentication credentials are send to Microsoft. Such reasoning of this dialog will never fly in a German court.
Consent must be specific, informed, freely given and unambiguous. The user must be able to revoke consent at any time, as easy as it was providing the consent before.
Very clearly the Microsoft "consent" info does not tick any single one of those items.
There is much to criticize about the EU. But where the US has brought the world "By farting during installation of this software you consent to us stopping by and taking your first born child" kind of EULAs / "choices", EU's GDPR is forcing big tech to treat humans as humans again (instead of just data).
I don't know why political entities are brought into these conversations other than for some sense of high-horsedness or a figurative pissing contest.
GPDR is good. So is CCPA, COPRA, etc. Meanwhile, both the EU and the US have plenty of predatory legislation that allows companies to do all kinds of fucked up things.
Because nuance is valuable? "GDPR is good" doesn't remotely address its strengths and failings, nor the conflicting incentives and motivations that produced it.
I agree that there's no room for home-team mentality here, but we should absolutely assign credit and blame where it's due, especially when those of us who don't live in a jurisdiction with such a law gain some halo-effect benefit.
My comment wasn't meant as a pissing contest. It's not me who has created GDPR, I did not have a choice of getting born in the EU, it just happened :)
But I am pretty impressed that in these days where most regulations for pretty much everything are defined by lobbyists, GDPR actually did happen, ended up to be a very reasonable set of rules, and actually gets enforced. It was written well, and unlike with other regulations it's not full of loop holes.
Laws and regulations created to the sole benefit of your general population is just something you can't take for granted these days anymore. Therefore, for me GDPR is kind of magic.
I disagree. I think that you can’t consent to something you don’t know about and certainly not something you don’t understand. This includes every single eula that everyone agrees to without reading. In my opinion that is not an agreement, as an agreement requires informed consent.
Unfortunately our legal system strongly disagrees with me but that’s my two cents
I thought that's what every email provider does? Fastmail has the same feature where you can provide your credentials and they'll fetch the emails from other providers for you.
If I instruct fastmail or another provider to fetch mail from a different email provider on my behalf so that I have it in one place then that is a deliberate decision I make. If I connect to my mail provider via IMAP/SMTP from a local application (Outlook, Thunderbird, mutt or whatever) I do not expect my credentials to be exfiltrated to a third party so that they can also fetch my mail. In fact, I would consider that to be criminal behavior if not VERY clearly communicated, with all it's implications.
Many webmail services offer this, but the difference is that the Windows program is a local program, not a cloud service.
The Outlook app for Android does the exact same thing, copying your email to the Microsoft cloud and then serving the emails to your phone from Microsoft's servers.
> Many webmail services offer this, but the difference is that the Windows program is a local program, not a cloud service.
Is it really? The comments on the original Heise article mention that Heise actually misunderstood it and it's basically just a link to the web interface in the task bar so it's not a local app.
Maybe they're hiding their web app Electron/Tauri style, but I would certainly expect it to be local-only based on the way it's advertised and designed.
I've had all my Google Translate posts taken down with the ask to post it in the original language, but this one somehow stays up. Mysterious are the ways of the mods.
I'm fairly certain they're all in the US and this post has been on the front page for only a little more than an hour: https://hnrankings.info/38212453/
Apart from the security issues, it's also very annoying to have to explain that I can't actually troubleshoot any IMAP connectivity issues when your machine isn't the one thats actually making the connection.
Now we've been internally discussing whether we should just firewall off whatever Azure ranges are connecting to our IMAP backend servers and intentionally "break" the functionality. Not my first choice, but users keep seeing the "New" toggle and turning it on, causing all sorts of other uncontrolled chaos!
Cloud-first, in all the wrong ways. It's supposed to be a local app..