On Sun, 13 Dec 2015, Alice Wonder wrote:
A big negative to Thunderbird autoconfig - it looks for http before https
resulting in MITM vulnerability.
They say it is because hosting companies like godaddy don't want to have a
TLS cert for every e-mail domain.
I agree with both :-)
They should have a DNS TXT field like _moz_auto.domain.tld or something that
points to the authoritative TLS autoconfig server but they don't want to do
that.
Do you have a link for this information? Don't see a drawback with this
approach when they fallback to normal method without the record. Exchange
uses a SRV record (which is better than TXT I think
- _autodiscover._tcp....) but this has also issues, as they don't lookup
this first, but only after they tried some other things.
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
