Deneb Meketa wrote: > Looking at the "Server Settings" panel for an email account in Firefox > 1.5, I see these options: > > Security Settings > Use secure connection: > () Never > () TLS, if available > () TLS > () SSL > [] Use secure authentication > > I'm curious what "use secure authentication" actually does. I'd like to > see security be really easy for users, and I think they will find it > confusing (I certainly do) that "use secure authentication" is separate > from "use secure connection". How do the two differ? > > I have a few theories:
[snip] > 2. Maybe "use secure authentication" doesn't refer to encryption; maybe > instead it refers to a more robust authentication protocol. Maybe > something more than just username and password are exchanged in this > kind of setup. If this is the case, I'd be a big fan of explaining this > in some way - maybe more verbose text in the checkbox label? > > Basically, I think users should easily be able to answer the question: > do I have a secure configuration that I'm comfortable with? If my > server supports SSL, but doesn't support secure authentication (which is > nicely indicated by a dialog box), is that OK, or do I need to look for > a better ISP? AMEN! I so agree with you! Users should find the prefs simple enough to understand that they can make the right choice the first time. I think the problem is that these different settings represent combinations of features that aren't exactly household words. Someone has attempted to boil each choice down to a minimum of words, and in this case, they went too far, IMO. Below I will give a more complete explanation of each choice. Maybe you can find a one-line phrase for each one that is clearer than what's above. That might be a good contribution. > Many thanks for any clarification. Here's what these settings really mean: > Use secure connection: means use some form of SSL to encrypt the connection > [] Use secure authentication means use a cryptographic protocol just for the password. No SSL, no encryption (as such). Commonly called CRAM-MD5, IINM, which (IIRC) means "CRyptographic Access Method". This one uses MD5 (hash algo, not encryption). This is NOT mutually exclusive with the use of SSL, but IMO is mostly applicable when SSL is not used. Given the existence of bug 311939, the use of CRAM-MD5 is always a good idea with any server that supports it, IMO, even when TLS is selected. Here are the choices for use of SSL (a.k.a. TLS). I'm going to discuss the choices out of order. > () Never self-explanatory, one hopes. One would hope to use CRAM=MD5 here. > () SSL This always uses SSL/TLS. It uses a separate "port" number on the server from the "normal" POP3, IMAP, SMTP or NNTP port. With this special port, SSL/TLS is started first (very first thing), and all subsequence traffic on that port uses SSL/TLS, including the login part (name/password) and the subsequent message transfers. > () TLS IMO, This should have been named "StartTLS". StartTLS is a feature of POP3, IMAP, SMTP, LDAP, and (IINM) NNTP. It uses the normal port number and the connection starts out "in the clear" just as it would if SSL/TLS was never to be involved. But early on in the connection, the client asks the server "Do you support SSL/TLS?" and if the server answers in the affirmative, the client then tells the server "Let's start using SSL/TLS right now". And they do. Thereafter, the behavior on the connection is just like the "always use SSL/TLS" case above. The login and message traffic happen over SSL/TLS after that for the remainder of the connection. Again, this feature is called StartTLS. With this particular choice (named "TLS"), if the server responds saying that it does NOT support StartTLS, then the connection ends without the login info being sent to the server. > () TLS, if available This is just like the "TLS" (really StartTLS) case above, EXCEPT that the "if available" part means that if the server says "I do not support StartTLS" when the client asks, then the client just falls back to not using SSL at all, and behaves just like the "Never" case above. So, for this choice, the use of SSL/TLS is OPTIONAL, and is chosen by the server. The user is not notified whether encryption was used, or not. Personally, I would not use this feature, at least not without also using CRAM-MD5. As you can see, the choice of the names "SSL" and "TLS" to describe the difference between those options is really poor. SSL and TLS are effectively synonyms. The difference is whether SSL/TLS is done from the very beginning of the connection, or is negotiated and started after the connection has begun. See also https://bugzilla.mozilla.org/show_bug.cgi?id=311939 -- Nelson B _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
