I'm writing a simple .NET web app to use EWS to view some room calendars on our Exchange Online (Office 365) cloud site. I know how to create the Exchange service in my code, set the credentials to a new WebCredentials (with valid username/password), and autodiscover the service URL.
My question is: are the username/password pair sent securely, or clear text?
If this is not secure, how about if I explicitly set the service's URL to the https://outlook.office365.com/EWS/Exchange.asmx URI?
Instead of calling AutoDiscoverUrl(), you can set the url directly using exchangeService.Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx");.
Also, after calling AutoDiscoverUrl() you can also inspect the Url property of your ExchangeService object to see whether it resolves to a secure endpoint or to an endpoint that you trust (from a specific list in your config file for example).
To be absolutely sure the returned Url is safe and secure, you should verify that the returned certificate is from the organization you expect it to be and that the certificate is signed by a trusted authority. This process is explained here. The default implementation mentioned int he article also accepts self-signed certificates, you probably don't want to do that in your production code. You could pin the certificate to a specific fingerprint for example.
If you want to exclude self-signed certs, change the following code in the referenced sample to return false:
// When processing reaches this line, the only errors in the certificate chain are
// untrusted root errors for self-signed certificates. These certificates are valid
// for default Exchange server installations, so return true.
// Or when you know that the certificate is signed by a trusted root authority, return false.
return false;
To answer your question, the username/password is normally sent securely using NTLM or Kerberos. In the worst case they can be sent using basic authentication, but if you're connecting over SSL, than it shouldn't be easy to intercept the password as long as you validate the SSL certificates properly.
ExchangeService svc = new ExchangeService(); svc.Credentials = new WebCredentials(AuthEmailAddress, AuthEmailPassword); svc.AutodiscoverUrl(AutoDiscoverEmailAddress);– TheDudeDude