Autodiscover implementation is insecure. Rated 1 out of 5 stars
After my company upgraded to exchange 2013 I was having trouble getting ExQuilla to connect again. While our IT department was trying to resolve a problem with a bad certificate being served I opened wireshark to determine exactly which host ExQuilla was connecting to. I then determined that it was using HTTP basic authentication to request the autodiscover.xml file over plain text and I was able to properly decode my password from the base64 authentication token.
ExQuilla did not even attempt an SSL connection to the exchange server for the discovery. This is unacceptable for the IT security policy and may even be the reason why the autodiscovery service was returning a 401 even with the right credentials. I now can not use ExQuilla for technical implementation reasons (it won't connect to our exchange 2013) and because it has been demonstrated to be out of compliance for our internal security policy.