Confirm
591
edits
Changes
→Philor: SSL is also a migitating factor against the subdomain case
I can see two possible counter-measures for that:
1) The webhoster must block the autoconfig subdomain or register/use it himself.
2) We could also contact https://www.<domain>/autoconfig/mail/mozilla.xml /before/ we contact autoconfig.<domain>.
Upside of 2) is that it's a bit easier to set up (no new host). Downside is that it creates more 404 spam in the hoster's logfile (same as /favicon.ico, which I hate).
Microsoft has a very, very similar feature in Outlook / Exchange 2007, which also contacts "https://<domain>/autodiscover/autodiscover.xml" and "https://autodiscover.<domain>/autodiscover/autoodiscover.xml", so they do exactly the same (same idea independently), and they used 2) above. (There are some differences in the XML files, so dropping our own format in favor of Microsoft's is not a good idea, but I plan to implement the autodiscover as well, in case we talk to Exchange 2007 servers).
Also, we require a proper SSL certificate. I don't think many of these webhosters give out real IP addresses on these domains, it's usually only purely Virtual Hosting (HTTP "Host:"). I think CAs also demand that you're in control of the SLD (second level domain), not just a subdomain, but I'm not sure about that.
