cpw.ivan: d849dc2a: This is kind of controversial, but appar...

Mark Doliner mark at kingant.net
Mon Nov 1 14:51:33 EDT 2010

On Sat, Oct 30, 2010 at 5:36 PM, Paul Aurich <paul at darkrain42.org> wrote:
> On 2010-10-30 14:16, ivan.komarov at soc.pidgin.im wrote:
>> This is kind of controversial, but apparently not having tlsCertName
>> in the startOSCARSession response is normal and indicates we
>> shouldn't use SSL for connecting to BOS even if we requested
>> SSL in account settings.
> I would prefer that we error the connection in this situation (with a
> useful error message), not just log an error message to the Debug Window.
> Either that or move to a "Don't use TLS/Use TLS if available/Require
> TLS" dropdown.

Authentication will always happen over https in either case, right?
We're only concerned about silent fallback to http for buddy list,
IMs, etc?  If AOL's https servers were more reliable I think we could
get away with a simple "Require encryption" checkbox.  Unfortunately,
I feel like it's probably a good idea for us to give users the option
to disable https entirely.

What if we change the current "Use SSL" checkbox to a dropdown box
with these options:
    "Require encryption"
    "Use encryption if available"
    "Don't use encryption"
Should be very similar to XMPP's dropdown in appearance.  Maybe we
should add a note that says, "your password will always be encrypted,
regardless of this setting"?  Mouse-over tooltip maybe?  And I'd vote
that the default setting be "use encryption if available."


More information about the Devel mailing list