Gaia/Email/Autoconfig: Difference between revisions

← Older edit

Gaia/Email/Autoconfig (view source)

Revision as of 18:48, 3 April 2015

890 bytes removed , 3 April 2015

Update autoconfig process; we've been using https ISP checks for a while now

Andrew Sutherland

Confirmed users

360

edits

@@ Line 28: / Line 28: @@
 *** The only way to update the configuration file is to update the e-mail app.  If the account setup steps change, until the app is updated, manual setup may be the only way to create a working account.
 *** Disk space.  Although the app is packaged as a zip file so there are some compression benefits, supporting N domains using the same configuration requires N files.  This potentially does not scale well.  It is probably necessary to create a more space-efficient mechanism that is aware of such duplication.
-* <b>http://autoconfig.xampl.tld/mail/config-v1.1.xml?emailaddress=user%40xampl.tld</b>: Check for a [https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration/FileFormat/HowTo XML configuration definition] hosted by the server operator at a subdomain.
+* <b>https://autoconfig.xampl.tld/mail/config-v1.1.xml?emailaddress=user%40xampl.tld</b>: Check for a [https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration/FileFormat/HowTo XML configuration definition] hosted by the server operator at a subdomain.
 ** Advantages:
 *** The server operator completely controls the settings for their domain.  We don't need to ship a configuration with the phone or add it to the Thunderbird ISP database.
 *** Because the e-mail address is included in the request, the operator can provide user-specific settings.  This is most useful when the ISP maintains multiple mail clusters that require different settings to use.  If the mail cluster are fronted by a proxy implementation, this does not matter.
+*** https encrypted/authenticated connection
 ** Disadvantages:
 *** Requires the server operator's initial and continued involvement.
-*** While the Thunderbird autoconfig mechanism has been adopted by some other open-source clients and has a non-trivial user-base, it's also not the world's largest user-base so not all o
+*** While the Thunderbird autoconfig mechanism has been adopted by some other open-source clients and has a non-trivial user-base, it's also not the world's largest user-base so not all operators do this.
-*** The request is made as a non-https request.  See [https://wiki.mozilla.org/Thunderbird:Autoconfiguration the original Thunderbird autoconfig feature page for links to security considerations and review].
+* <b>https://xampl.tld/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=user%40xampl.tld</b>: Check for a [https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration/FileFormat/HowTo XML configuration definition] hosted by the server operator at the root-domain using a [http://tools.ietf.org/html/rfc5785 well-known URI].  All the advantages/disadvantages are the same as for the previous server-operator hosted mechanism, the domain is simply different.
-* <b>http://xampl.tld/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=user%40xampl.tld</b>: Check for a [https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration/FileFormat/HowTo XML configuration definition] hosted by the server operator at the root-domain using a [http://tools.ietf.org/html/rfc5785 well-known URI].  All the advantages/disadvantages are the same as for the previous server-operator hosted mechanism, the domain is simply different.
 * <b>https://xampl.tld/autodiscover/autodiscover.xml</b>: Look for an ActiveSync AutoDiscover server hosted by the server operator.  This is a secure authenticated POST request that includes the e-mail address in the POST payload; the credentials (e-mail address and password) are provided as part of the usual authentication header.
 ** Advantages:
@@ Line 57: / Line 57: @@
 ** Advantages:
 *** Depending on the MX entry lets us support many vanity domains while only requiring one XML configuration file per domain.  However, an XML configuration file is required.  We do not repeat the ActiveSync AutoDiscover process.
-** Good News, Bad News:
-*** The Mozilla-hosted Thunderbird ISP Database is very likely a more secure place to be performing MX DNS lookups.  However, this step already occurs after the point an attacker with the ability to manipulate local DNS lookups would already have succeeded under the current implementation.
 ** Disadvantages:
 *** The Mozilla server is also a single-point-of-failure.  If the server is down, this step does not work for any users.  If the server is compromised or its DNS lookups are compromised, this affects all users who make it to this step for the duration of the compromise.  However, the server has been operational for many years with no compromises and no meaningful downtime.
@@ Line 68: / Line 66: @@
 * {{bug|823640}}: Implement sub-domain guessing consistent with Thunderbird's sub-domain guessing.  Given "xampl.tld", Thunderbird will try things like "mail.xampl.tld" and "imap.xampl.tld"/"smtp.xampl.tld".  Because we don't currently do this, this means the Gaia e-mail app needs locally-hosted or Thunderbird ISP-database-hosted entries that Thunderbird does not need (and accordingly may not exist).
 * Ship the entire ISP database on the device (in a more compressed fashion).
-* Reduce the potential for attackers who control the network to perform a viable attack.  This could be effected by abandoning non-HTTPS lookups, confirming potentially compromised lookups/requests via a secure connection to trustworthy servers (Mozilla Thunderbird ISP database, an SSL-observatory type thing, etc.), more detailed UI to help the user confirm that the domains we choose look reasonable, confidence intervals, etc.