[Bug 308181]

[Noah]

I would love to have this implemented in Thunderbird, as a sysadmin that
would like to make it easier for our users to connect to our service.

Regarding the security context of this, I actually think it's a great
improvement, because it means people are more likely to automatically
set up encrypted mail through imap(S) than if they have to manually
enter the details.

2. As pointed out the MiTM risk is no worse than the current http
method, and the guessing method (which actually uses the wrong server
for us)

3. The MITM risk is only at setup time. If the user doesn't use
autoconfig, and ends up using unencrypted mail, they are at MiTM risk
everywhere they go, every coffee shop wifi, etc. Since the MitM risk is
only at setup time, it's extremely hard for an attacker to exploit,
because they have to convince the user to delete and recreate the
connection in order to be able to hijack the autoconfigure request.

4. Doesn't the current UX flow mean that the users password is only sent
to the server *AFTER* the autoconfigure completes and the server details
are shown to them? What is the problem here? Doesn't the user get a
chance to verify the server details?

-- 
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to Mozilla Thunderbird.
https://bugs.launchpad.net/bugs/308181

Title:
  xmpp4moz doesn't read SRV DNS records

To manage notifications about this bug go to:
https://bugs.launchpad.net/sameplace/+bug/308181/+subscriptions