Changes

Philor:A webhoster which is allowing service provider allows customers to register subdomains. The service provider assigns email addresses to customers such that the email addresses of each customer correspond directly to the subdomains of that customer. So, a customers customer who has registered the domain name fred@hoster.com and example.net receives the email address fred@example.hoster.comnet. How, if If the attacker registers the domain name autoconfig.hosterexample.comnet, it how can redirect Fred the attacker direct another customer to imapmail.evil.com example and get the password.?

Ben Bucksch:I can see two possible counter-measures for thatcounter‐measures:# The webhoster must block service provider blocks the autoconfig “autoconfig” subdomain or register/use it himselfregisters and uses the “autoconfig” subdomain.# We Thunderbird could also contact try <nowiki>https://<domain/nowiki>{<var>domain_from_email_address</var>}/autoconfig/mail/mozilla.xml ?email={<var>email_address</var>} ''before'' trying <nowiki>https://</ we contact nowiki>autoconfig.{<var>domain_from_email_address<domain/var>}/autoconfig/mail/mozilla.xml?email={<var>email_address</var>}Advantage The advantage of 2) the latter is that it's a bit easier to set the ease of setting up (no new hostdomain name). Disadvantage The disadvantage of the latter is that it creates more 404 spam manifest in the logs of the service provider, where one finds a mess of entries for responses in which the hoster's logfile status code was “404” (same as /faviconwith “favicon.icoico”, which I hate).

Microsoft has a very, very similar feature in Outlook / Exchange 2007, which also contacts "that is very similar to the feature under review. The Microsoft products try <nowiki>https://<domain/nowiki>{<var>domain_from_email_address</var>}/autodiscover/autodiscover.xml" and "<nowiki>https://</nowiki>autodiscover.{<var>domain_from_email_address<domain/var>}/autodiscover/autoodiscoverautodiscover.xml", so they do exactly the same in that order. (same idea independently), Differences between Microsoft’s “autodiscover.xml” documents and they used 2) aboveour “mozilla. (There are some differences in the XML files, so xml” documents indicate that dropping our own format in favor of Microsoft's Microsoft’s is not a good idea, but I plan to implement add an implementation of the autodiscover as wellprotocol that Outlook 2007 implements, in case we talk to Exchange 2007 servers.).

Also, we require a proper SSL certificate. I don't think that many of these webhosters give out real service providers withhold exclusive use of IP addresses on these domains, it's usually only purely Virtual Hosting (HTTP "Host:")the typical scenario being shared, virtual hosting, which prevents the use of a proper SSL certificate. I think CAs also that certificate authorities demand that you're in the recipient of a certificate control of the SLD (second level second‐level domain), not just a subdomain, but I'm I’m not sure about that.