Looking at the "Server Settings" panel for an email account in Firefox
1.5, I see these options:
Security Settings
Use secure connection:
() Never
() TLS, if available
() TLS
() SSL
[] Use secure authentication
I'm curious what "use secure authentication" actually does. I'd like to
see security be really easy for users, and I think they will find it
confusing (I certainly do) that "use secure authentication" is separate
from "use secure connection". How do the two differ?
I have a few theories:
1. Maybe "use secure authentication" is only meaningful when "use secure
connection" is set to "never", and in this case the effect of "use
secure authentication" is to encrypt the username/password exchange, but
use an unencrypted connection to transfer mail. Certainly when I choose
SSL, packet traces don't show a cleartext username or password, even
when "use secure authentication" is unchecked, so I get the feeling that
choosing SSL makes "use secure authentication" unnecessary. If this is
the case, then I think the UI should be modified as follows:
Security Settings
Use secure connection:
() Never
() Only for authentication
() TLS, if available
() TLS
() SSL
2. Maybe "use secure authentication" doesn't refer to encryption; maybe
instead it refers to a more robust authentication protocol. Maybe
something more than just username and password are exchanged in this
kind of setup. If this is the case, I'd be a big fan of explaining this
in some way - maybe more verbose text in the checkbox label?
Basically, I think users should easily be able to answer the question:
do I have a secure configuration that I'm comfortable with? If my
server supports SSL, but doesn't support secure authentication (which is
nicely indicated by a dialog box), is that OK, or do I need to look for
a better ISP?
Many thanks for any clarification.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security