GitLab

Currently, TorBirdy entirely blocks the mail account autoconfig dialog in Thunderbird. It requires the user to manually configure the mail account servers.

---

This is suboptimal, because the declared goal of TorBirdy is to reach common users (not geeks), and common users have massive problems with this configuration. This is why they use webmail, and why we write this dialog to help them with Thunderbird - they simply can't do it alone.

Furthermore, if they try to find the settings themselves on the web, they

• expose themselves to similar or worse phishing attempts (if you can serve a bad config XML file, you can serve a bad HTML documentation page)
• more importantly, the mail configs published by the ISPs are often without encryption.

With the ISPDB, I took great care to find and use the best config that an ISP offers, esp. SSL and encrypted passwords, even if that config is undocumented and not officially supported. In a way, you could compare the ISPDB with HTTPS Everywhere, because it performs a similar function (use SSL where possible, even if not advertized by site) and even similar means (HTTPS Everywhere communicates with some central servers, just like the Mozilla ISPDB).

Thus, I think disabling the autoconfig dialog does users a dis-service not only in convenience and usability (in the literal sense of the word), but more importantly in security, because we know about SSL configs that users might not know or find.

---

The reason why the autoconfig dialog was disabled were some HTTP (without SSL) calls and direct socket calls. Thus, in Mozilla bug 669282 [1], I attached a patch to disable them. I wrote this patch specifically for TorBirdy. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=669282

Trac:
Username: ben