664634 - Improve Thunderbird's behavior if an invalid certificate is seen for a host with a previous good certificate

Status: NEW

(Thunderbird :: Security, enhancement)

Description

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

+++ This bug was initially created as a clone of Bug #664633 +++

Today, when Thunderbird encounters an invalid SSL certificate, it makes it really easy--to easy--for the user to configure an exception for that certificate. It makes it easy because many IMAPS and SMTPS servers use non-validatable certificate chains (self-signed certs, etc.) However, it is very unlikely that a server will start using an non-validatable certificate chain after it was previously using one that validated correctly. So, once a successful connection to a server has been made, Thunderbird should not prompt the user to add an exception.

If the local copy of the auto-configuration database says that a valid certificate chain for a server should be provided (which would be the case for almost all of the servers in the auto-configuration database, AFAICT), then we should never prompt the user to add an exception for that server.

Note that this will happen frequently when users are behind captive portals, which is how I noticed it.

Comment 1

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

look at this with account sec

Comment 2

[Ralf Hauser]

It is not unheard of that some server admin who previously paid for an SSL certificate after its expiration no longer bothers to pay, but takes a self-signed one.
Suggestions:
1) still show the exception dialog, but add a warning that previously, a valid certificate of issuer xyz was found
2) in particular, if the new self-sig certificate is found > 10 days before the expiration of the previous one, add a (large/red) Man-in-the-middle warning!

Comment 3

[adu]

I would like to work on this bug .. can i pick this ? please give necessary informations regarding the bug
thanks

Comment 4

[Kai Engert (:KaiE:)]

I think we need a better user interface for dealing with certificate errors on servers.

The "add override" dialog was designed as part of work for the firefox browser. In firefox, the dialog is shown only after the user has been told about a problem with other UI (an error page shown in the browser), after the user has explicitly clicked a button to learn about more details of the problem, and as a third step, the user has deliberately clicked a button to request an override for the problem.

In Thunderbird, a very pragmative solution has apparently been chosed (probably caused by lack of developer resources), which immediately shows the advanced dialog to add an exception. This clearly isn't ideal.

I think Thunderbird should get a better error reporting UI, where it informs the user about the problems currently experienced with the server connection.

In the captive portal situation mentioned above, that's a challenging problem for user interface design, because a user would get multiple failure reports at once (e.g. hostname mismatches for all configured mail servers).

IMHO Thunderbird should display some summary about current issues, like a notification bar. Because we cannot or should not show multiple notification bars in parallel, maybe the contents of the notification should be a "summary" of what's going on (e.g. "connection errors with 12 servers").

When clicked, the we should display a dialog that has more problems. Maybe a list of all affected servers. Maybe clicking one entry could offer a dialog with the details of the problem for that specific server. And only there, offer the advanced option to access the dialog that can add an override for the server.

On the first dialog that lists multiple problems, we should probably be smart, and suggest the likely cause to the user. If multiple problems are found at the same time, we should explain that a likely issue is the network connection currently used by the user. And a suggestion to use a web browser to investigate the current Internet connection, prior to trying to fix the issue with Thunderbird.