They are both encrypted but since you can't verify the "server" certificate it is vulnerable to MITM.