Thunderbird:Autoconfiguration:Security

From MozillaWiki
Jump to: navigation, search

ISP config lookup

To avoid password stealing (DNS attacks are easy), we should verify the authenticity of the configuration file, that it's from the company which owns the email domain. This could be done by downloading the config file via https, but that's only useful when we actually check the domain name (subject) in the certificate against the email address domain that the user entered. That would be as secure as HTTPS on the web, but runs in a problem for email providers with vanity domains like coolpeople.com, they won't buy a cert for each domain.

Mozilla config lookup

If the configuration files on the Mozilla service can be contributed in a wiki-like way by anonymous people, the password theifs could just submit a config file for a big ISP and wait for the passwords to come in. The server should check that the domain of the IMAP/SMTP servers matches the domain of the email address that the config applies to, e.g. config file for aol.com must have something.aol.com as IMAP/SMTP server. That will work for many, but not for those which have several domains goign to the same server (e.g. gmail.com = googlemail.com), so probably there either need to be some automated tests (e.g. checking that both domains are served by the same DNS server and return the same MX entries) or failing that a trusted human moderator.