cpw.ivan: d849dc2a: This is kind of controversial, but appar...
Mark Doliner
mark at kingant.net
Mon Nov 1 14:51:33 EDT 2010
On Sat, Oct 30, 2010 at 5:36 PM, Paul Aurich <paul at darkrain42.org> wrote:
> On 2010-10-30 14:16, ivan.komarov at soc.pidgin.im wrote:
>> This is kind of controversial, but apparently not having tlsCertName
>> in the startOSCARSession response is normal and indicates we
>> shouldn't use SSL for connecting to BOS even if we requested
>> SSL in account settings.
>
> I would prefer that we error the connection in this situation (with a
> useful error message), not just log an error message to the Debug Window.
>
> Either that or move to a "Don't use TLS/Use TLS if available/Require
> TLS" dropdown.
Authentication will always happen over https in either case, right?
We're only concerned about silent fallback to http for buddy list,
IMs, etc? If AOL's https servers were more reliable I think we could
get away with a simple "Require encryption" checkbox. Unfortunately,
I feel like it's probably a good idea for us to give users the option
to disable https entirely.
What if we change the current "Use SSL" checkbox to a dropdown box
with these options:
"Require encryption"
"Use encryption if available"
"Don't use encryption"
Should be very similar to XMPP's dropdown in appearance. Maybe we
should add a note that says, "your password will always be encrypted,
regardless of this setting"? Mouse-over tooltip maybe? And I'd vote
that the default setting be "use encryption if available."
--Mark
More information about the Devel
mailing list