[tor-bugs] #10836 [TorBirdy]: Enable mail account autoconfig dialog in TorBirdy

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Feb 8 01:12:50 UTC 2014 

#10836: Enable mail account autoconfig dialog in TorBirdy
-------------------------+---------------------
 Reporter:  ben          |          Owner:  ben
     Type:  enhancement  |         Status:  new
 Priority:  normal       |      Milestone:
Component:  TorBirdy     |        Version:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
-------------------------+---------------------
 Currently, TorBirdy entirely blocks the mail account autoconfig dialog in
 Thunderbird. It requires the user to manually configure the mail account
 servers.

 -----

 This is suboptimal, because the declared goal of TorBirdy is to reach
 common users (not geeks), and common users have massive problems with this
 configuration. This is why they use webmail, and why we write this dialog
 to help them with Thunderbird - they simply *can't* do it alone.

 Furthermore, if they try to find the settings themselves on the web, they
 * expose themselves to similar or worse phishing attempts (if you can
 serve a bad config XML file, you can serve a bad HTML documentation page)
 * more importantly, the mail configs published by the ISPs are often
 without encryption.

 With the ISPDB, I took great care to find and use the best config that an
 ISP offers, esp. SSL and encrypted passwords, even if that config is
 undocumented and not officially supported. In a way, you could compare the
 ISPDB with HTTPS Everywhere, because it performs a similar function (use
 SSL where possible, even if not advertized by site) and even similar means
 (HTTPS Everywhere communicates with some central servers, just like the
 Mozilla ISPDB).

 Thus, I think disabling the autoconfig dialog does users a dis-service not
 only in convenience and usability (in the literal sense of the word), but
 more importantly in security, because we know about SSL configs that users
 might not know or find.

 -----

 The reason why the autoconfig dialog was disabled were some HTTP (without
 SSL) calls and direct socket calls.
 Thus, in Mozilla bug 669282 [1], I attached a patch to disable them. I
 wrote this patch specifically for TorBirdy.
 [1] https://bugzilla.mozilla.org/show_bug.cgi?id=669282

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10836>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list