> I worry about existing users, given that "TLS, if available" was the > default so far. I would propose that TB3, when it sees such a setting in > an existing account for the first time, informs the user, and runs a > limited version of our probing code of the new setup dialog (just the > backend code, different UI) to check whether the server supports TLS or > SSL. If it does, it tells the user and asks him whether we can change > the setting to TLS/SSL always. If the server does not support SSL, we > inform the user (same as in the setup dialog) (and set a pref so that we > don't run the migration code again).
When the "TLS if available" code runs and succeeds with establishing TLS, it should just silently switch to "always TLS". It's safe to assume that users prefer encryption, once they know that it "just works". Steffen _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
