Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
Trac
Trac
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Create a new issue
  • Issue Boards

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • Legacy
  • TracTrac
  • Issues
  • #10836

Closed
Open
Opened Feb 08, 2014 by Trac@tracbot

Enable mail account autoconfig dialog in TorBirdy

Currently, TorBirdy entirely blocks the mail account autoconfig dialog in Thunderbird. It requires the user to manually configure the mail account servers.


This is suboptimal, because the declared goal of TorBirdy is to reach common users (not geeks), and common users have massive problems with this configuration. This is why they use webmail, and why we write this dialog to help them with Thunderbird - they simply can't do it alone.

Furthermore, if they try to find the settings themselves on the web, they

  • expose themselves to similar or worse phishing attempts (if you can serve a bad config XML file, you can serve a bad HTML documentation page)
  • more importantly, the mail configs published by the ISPs are often without encryption.

With the ISPDB, I took great care to find and use the best config that an ISP offers, esp. SSL and encrypted passwords, even if that config is undocumented and not officially supported. In a way, you could compare the ISPDB with HTTPS Everywhere, because it performs a similar function (use SSL where possible, even if not advertized by site) and even similar means (HTTPS Everywhere communicates with some central servers, just like the Mozilla ISPDB).

Thus, I think disabling the autoconfig dialog does users a dis-service not only in convenience and usability (in the literal sense of the word), but more importantly in security, because we know about SSL configs that users might not know or find.


The reason why the autoconfig dialog was disabled were some HTTP (without SSL) calls and direct socket calls. Thus, in Mozilla bug 669282 [1], I attached a patch to disable them. I wrote this patch specifically for TorBirdy. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=669282

Trac:
Username: ben

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: legacy/trac#10836