https://stackoverflow.com/questions/20982790
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianInstead of calling AutoDiscoverUrl(), you can set the url directly using exchangeService.Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx");.
Also, after calling AutoDiscoverUrl() you can also inspect the Url property of your ExchangeService object to see whether it resolves to a secure endpoint or to an endpoint that you trust (from a specific list in your config file for example).
To be absolutely sure the returned Url is safe and secure, you should verify that the returned certificate is from the organization you expect it to be and that the certificate is signed by a trusted authority. This process is explained here. The default implementation mentioned int he article also accepts self-signed certificates, you probably don't want to do that in your production code. You could pin the certificate to a specific fingerprint for example.
If you want to exclude self-signed certs, change the following code in the referenced sample to return false:
// When processing reaches this line, the only errors in the certificate chain are
// untrusted root errors for self-signed certificates. These certificates are valid
// for default Exchange server installations, so return true.
// Or when you know that the certificate is signed by a trusted root authority, return false.
return false;
To answer your question, the username/password is normally sent securely using NTLM or Kerberos. In the worst case they can be sent using basic authentication, but if you're connecting over SSL, than it shouldn't be easy to intercept the password as long as you validate the SSL certificates properly.
