664636 - Thunderbird should (semi-)automatically improve the security-related server configuration settings when it knows an improvement could be made

Status: NEW

(Thunderbird :: Security, enhancement)

Description

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Today, many users have sub-optimal security settings for their email servers. For example, many users do not use TLS-enabled configurations because they do not understand the advantages of TLS, at the time they first set up their email, their service provider didn't provide TLS, etc.

Also, recently some email providers have started offering IMAPS, POPS, and/or SMTPS over port 443 in addition to the standard IMAPS/POPS/SMTPS. This is a big benefit, because email over port 443 will work through many more firewalls than email over the standard ports will.

So, when we detect a sub-optimal configuration, we should offer to improve it for the user. For example, when we do update checks for Thunderbird, we can pull down updates to the server auto-configuration data, and then see if the current configuration for the user's servers is worse than the recommendations in the auto-configuration data; if so, we can ask the user to improve the security settings. Similarly, we can do this at installation time and/or when importing settings from other applications.

Comment 1

[Ben Bucksch (:BenB)]

+1
Yes, this would be great.
(I've been suggesting that, too, back then, but not filed a bug. Thanks!)

Comment 2

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

bug has no owner and has not moved in 2 years, closing blocking sec-review bug as incomplete and leaving flag to indicate need to do security work when / if this bug refreshes