On 9/19/2008 10:50 PM, Stefanos Harhalakis wrote: > On Saturday 20 September 2008, Ben Bucksch wrote: > >> The important part is "treat 'TLS, if available' like unsecured in the >> UI", though. We can't say "Automatic" or anything else that suggests >> that people may be secure (because they not, even if STARTTLS works at a >> given moment, because it may not work in 5 minutes). >> >> How do we do that (in the Account Manager), and still differentiate this >> option to the manually turned off SSL ("Never")? >> > > I believe that kmail's approach works better (?) in this case w.r.t. the > end-user. It doesn't alter its behaviour at run-time but it has a 'check what > server supports' button. This way, the auto-detection is performed once > (during configuration) and the user is immediately notified. > > Based on other comments, I don't see how an altering behaviour may be > considered secure. Perhaps an upgrade-only behavior (for the automatic > option) would be more secure: If it ever detects STARTTLS support then it > would just upgrade to TLS and keep it like that. > > Also, all these could be replaced by a notification box that is shown whenever > the user selects no encryption but TB detects STARTTLS (perhaps with a valid > certificate). It can then ask the user for upgrading to TLS and automatically > change the configuration setting (STRATTLS). This can also be used in > the 'Never' case (with a don't ask me again checkbox), so that the 'Never' > and the 'Insecure' options will actually become one. > Sorry I'm jumping in here really late.
There are two major use cases we're looking at w.r.t this problem that align with what has been discussed. 1) Users w/ TLSiA upgrading from Thunderbird 1,2 to TB3 2) Users creating new accounts in TB3 For (1) I think everyone has agreed that defaulting to STARTTLS as our lowest level of connection to the server (with the legacy means to disable STARTTLS in favor of just plain text) means that TB3 can upgrade to a secure connection as soon as the server supports it and then should continue to use that secure connection as it's default. This will transition existing users who are prone to a MITM attack away from that danger. There are some user interaction issues that need to be worked out for the upgrade, how to notify the users (if at all) of the upgrade can be discussed later. For (2) the new account configuration page (planned to land in TB3b2) essentially does this 'check what the server supports' automatically for the user. Servers (POP, IMAP, SMTP) are examined for the type of connections they support and we default the user to secure protocols that the server supports. There aren't options for STARTTLS or TLSiA given to the user, the only option other than secure (SSL or TLS) would be None. Of course the None option can really be STARTTLS in the same way (1) works. So TLS, if available will no longer be in the UI as a choice since we either upgrade people to TLS or treat them as insecure using STARTTLS. By being as automatic as we are it will be a win for users to "just get the right thing" and help move people who were using the "automatic" secure choice to a real secure choice. Cheers, ~ Bryan _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security