Implement an explanation before allowing the user to add a mail server exception
Categories
(Thunderbird :: Account Manager, enhancement, P1)
Tracking
(Not tracked)
People
(Reporter: KaiE, Assigned: KaiE, NeedInfo)
References
Details
Attachments
(2 files)
add-exception-dialog.png
Please see bug 1981098 comment 5.
The recent change from bug 1981098 makes it very easy for a user to override a bad certificate. In my opinion, it shouldn't be that easy.
The problem is that no guidance at all is provided to the user.
If a user wants to connect to a server, and it doesn't work, and the solution is "click here to make it work", then users will click it. But they should do so only after understanding the risk.
Please, when the user clicks the "add exception" link, please bring up UI that explains what's going on.
I suggest to go ahead and do that by showing the existing add exception dialog. That way you are reusing the various information text that already exist (that explains why a certificate is considered wrong), so you you don't have to re-implement that.
By having to go through that dialog, the user can learn what they are doing, and has the chance to reach out for assistance, if they need more information.
|
Assignee | |
Updated•2 months ago
|
|
||
Comment 1•2 months ago
|
||
Using the regression keyword here is not really accurate since this is not regressing any functionality or creating a bug.
This is more an enhancement request and a hardening to better guide those users that might find themselves in this situation.
Can you share the screenshot of the "Add Exception" dialog so we can evaluate if it properly fits our needs?
|
||
Updated•2 months ago
|
|
|
Assignee | |
Comment 2•1 month ago
|
||
(In reply to Alessandro Castellani [:aleca] from comment #1)
Using the
regressionkeyword here is not really accurate since this is not regressing any functionality or creating a bug.
This is more an enhancement request and a hardening to better guide those users that might find themselves in this situation.
I consider it a security regression, because the recent change has the effect that we no longer warn users sufficiently and make adding an override too easy.
|
|
Assignee | |
Comment 3•1 month ago
|
||
|
|
Assignee | |
Comment 4•1 month ago
|
||
(In reply to Alessandro Castellani [:aleca] from comment #1)
Can you share the screenshot of the "Add Exception" dialog so we can evaluate if it properly fits our needs?
Done.
This is the general purpose dialog that is also used by Firefox.
Note the middle section is dynamic.
In this example, starts with heading "Outdated Information" and includes the sentence that is shown below.
Depending on the specific problem with the received certificate, this section displays the appropriate explanation.
|
|
Assignee | |
Comment 5•1 month ago
|
||
|
|
Assignee | |
Comment 6•1 month ago
|
||
The attached patch implements my proposal.
I would like to ask for feedback, whether you can accept this solution.
I am not yet asking for review, because I haven't yet done the additional work to adjust the automated tests.
Before I do so, I would like to get a "go ahead" that this approach is ok.
|
|
Assignee | |
Comment 7•1 month ago
|
||
(In reply to Kai Engert [:KaiE:] from comment #6)
The attached patch implements my proposal.
I would like to ask for feedback, whether you can accept this solution.
I am not yet asking for review, because I haven't yet done the additional work to adjust the automated tests.
Before I do so, I would like to get a "go ahead" that this approach is ok.
There was no feedback within two weeks.
I'll go ahead and request review for the incomplete patch.
|
||
Updated•1 month ago
|
|
|
||
Updated•19 days ago
|
|
|
||
Updated•19 days ago
|
|
|
Assignee | |
Updated•19 days ago
|
Pushed by jtracey@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/b6c32ad06560
Use the exception dialog when overriding a bad certificate from within account settings. r=darktrojan
Description
•