On 9/19/2008 10:50 PM, Stefanos Harhalakis wrote:
> On Saturday 20 September 2008, Ben Bucksch wrote:
>
>> The important part is "treat 'TLS, if available' like unsecured in the
>> UI", though. We can't say "Automatic" or anything else that suggests
>> that people may be secure (because they not, even if STARTTLS works at a
>> given moment, because it may not work in 5 minutes).
>>
>> How do we do that (in the Account Manager), and still differentiate this
>> option to the manually turned off SSL ("Never")?
>>
>
> I believe that kmail's approach works better (?) in this case w.r.t. the
> end-user. It doesn't alter its behaviour at run-time but it has a 'check what
> server supports' button. This way, the auto-detection is performed once
> (during configuration) and the user is immediately notified.
>
> Based on other comments, I don't see how an altering behaviour may be
> considered secure. Perhaps an upgrade-only behavior (for the automatic
> option) would be more secure: If it ever detects STARTTLS support then it
> would just upgrade to TLS and keep it like that.
>
> Also, all these could be replaced by a notification box that is shown whenever
> the user selects no encryption but TB detects STARTTLS (perhaps with a valid
> certificate). It can then ask the user for upgrading to TLS and automatically
> change the configuration setting (STRATTLS). This can also be used in
> the 'Never' case (with a don't ask me again checkbox), so that the 'Never'
> and the 'Insecure' options will actually become one.
>
Sorry I'm jumping in here really late.
There are two major use cases we're looking at w.r.t this problem that
align with what has been discussed.
1) Users w/ TLSiA upgrading from Thunderbird 1,2 to TB3
2) Users creating new accounts in TB3
For (1) I think everyone has agreed that defaulting to STARTTLS as our
lowest level of connection to the server (with the legacy means to
disable STARTTLS in favor of just plain text) means that TB3 can upgrade
to a secure connection as soon as the server supports it and then should
continue to use that secure connection as it's default. This will
transition existing users who are prone to a MITM attack away from that
danger. There are some user interaction issues that need to be worked
out for the upgrade, how to notify the users (if at all) of the upgrade
can be discussed later.
For (2) the new account configuration page (planned to land in TB3b2)
essentially does this 'check what the server supports' automatically for
the user. Servers (POP, IMAP, SMTP) are examined for the type of
connections they support and we default the user to secure protocols
that the server supports. There aren't options for STARTTLS or TLSiA
given to the user, the only option other than secure (SSL or TLS) would
be None. Of course the None option can really be STARTTLS in the same
way (1) works.
So TLS, if available will no longer be in the UI as a choice since we
either upgrade people to TLS or treat them as insecure using STARTTLS.
By being as automatic as we are it will be a win for users to "just get
the right thing" and help move people who were using the "automatic"
secure choice to a real secure choice.
Cheers,
~ Bryan
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
