753516 - [autoconfig] Make it clear that entered password won't be send in the clear (while probing), if server supports encryption

Status: RESOLVED DUPLICATE of bug 634078

(Thunderbird :: Account Manager, defect)

Description

[Kai Engert [:KaiE:]]

During my struggles (which I reported in bug 753507 and bug 753511) I initially omitted the password entry.

Because the behaviour of the account wizard is a black box for me, I was deeply worried that the wizard might send the password to the server in the clear (without encryption).

Because I wanted to avoid that at all cost, I didn't enter the password.

When I ran into the issues from bug 753507 and bug 753511, I wasn't sure - is it necessary or unnecessary to enter my password for probing? If I do, might this re-testing send my password in the clear?

Ben suggested "we won't send your password until very late in the process".
Well, if this is true, why do you ask for it early? This is confusing.

If you don't need the password for probing, then don't ask for it early.

And entering the password isn't necessary for creating the password either. (Some people might prefer to always enter it, never store it.)


I think this UI should get some more thought. I have two proposals:

(a) Show the message "your password will not be sent to the server while detecting settings" when you prompt for the password, in order to allow paranoid folks like me to relax.

(b) Postpone asking for the password. Do it only after you have learned all the settings - and in fact with some settings no password might be necessary at all.

Comment 1

[David :Bienvenu]

(In reply to Kai Engert (:kaie) from comment #0)
> 
> Ben suggested "we won't send your password until very late in the process".
> Well, if this is true, why do you ask for it early? This is confusing.
The UI goal was to have one page where we ask questions, and make the rest as automatic as possible. So I'm going to blame the UI folks.

Comment 2

[Ben Bucksch (:BenB)]

What bienvenu said. For most cases, these 3 values are all that we need to set up an account, so this is basically a simple one-step process. That was the goal for the wizard.

> I initially omitted the password entry.

I think we should not allow this anymore. This causes too many people like kaie to stumble. I've seen many people fail badly in the wizard, and later after a long discussion we discovered that they didn't enter a password, but they thought that was legal and thus never mentioned it.

Without password, important parts of the wizard like the username guessing and account verification can't work.

> (a) Show the message "your password will not be sent to the server while detecting settings"
> when you prompt for the password, in order to allow paranoid folks like me to relax.
> (b) Postpone asking for the password. Do it only after you have learned all the settings
> - and in fact with some settings no password might be necessary at all.

Sorry, none of them are good solutions.
a) clutters the dialog. And the information in the text would boil down to "Thunderbird is secure". That goes without saying.
b) not possible for the reasons mentioned.

So, I think this is a WONTFIX, sorry.

Comment 3

[Ben Bucksch (:BenB)]

FWIW, we do take great pains to never send the password to a server unless we're sure the server is correct (e.g. user approved), and even then we do warn with a big red dialog before sending the password in the clear over the wire.