Ben Bucksch wrote, On 2008-09-17 13:55: > Thunderbird currently has the SSL options: "Never" (plain), "TLS, if > available", "TLS" (always), and "SSL" (always), for incoming IMAP/POP3 > and outgoing SMTP servers (with slightly different UI wording). TLS is > basically SSL version 3.
Damn! Those old wrong labels are STILL in use? Even after bug 185662 was allegedly fixed? Please read all the way through bug 185662 and bug 350314. Those bugs will explain that the mode labeled as "TLS" is actually "STARTTLS", which is something very different. I've been trying to get those labels replaced with something better for years. Bug 350314 also explains that the "TLS if available" option should be called "StartTLS, unless there's an attacker". That option should just go away. It is trivially attacked. Even if the server really does offer TLS, an attacker can easily fool the client into thinking that the server does not, so the client will not use TLS even though it is available. The idea you proposed, of using "TLS, if available" as a way to just cause the one-time automatic detection and account configuration has been proposed in several bugs, including bug 350314 comment 12. It was rejected four months ago because of an alleged string freeze. The major news you've added in this email is that this exploit is now being massively utilized. That information should go into bug 350314. Sorry for my bad attitude. I've been calling attention to this issue for months, and getting at most a ho-hum response. Maybe now, the news that this is being massively exploited will finally get it some attention. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
