Johnathan Nightingale wrote:
> On 19-Sep-08, at 7:39 AM, Ben Bucksch wrote:
>
>> I think you are suggesting to (by default) use "TLS, if available"
>> instead of "no SSL", and to never configure "No SSL" (unless manually
>> requested), and to treat "TLS, if available" like unsecured in the UI.
>>
>> I can agree with that.
>
> That's it precisely. And thank you for expressing it so succinctly.
Great.
The important part is "treat 'TLS, if available' like unsecured in the
UI", though. We can't say "Automatic" or anything else that suggests
that people may be secure (because they not, even if STARTTLS works at a
given moment, because it may not work in 5 minutes).
How do we do that (in the Account Manager), and still differentiate this
option to the manually turned off SSL ("Never")?
The previous suggestions [ ] require TLS [ ] disable STARTTLS, i.e. two
checkboxen, don't work, at least not as-is, because we also have the
difference between SSL and TLS (TLS is the newer version of SSL).
Currently, we have a radio box.
If we want to keep that, we'd have to use
Use secure connection:
( ) Never (o) Insecure ( ) SSL ( ) TLS
where "Insecure" is the former "TLS if available".
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
