Changes

** Self-signed certificates: '''NO''', unless the certificate is explicitly trusted by gecko or has had an exception created some other way (such as via the web browser). If we fix In the past, itwas very common to use self-signed certificates because getting a real certificate cost money, and potentially a lot of it would be . Now, you can get free SSL certificates; at least StartCom provides them [https://www.startssl.com/?app=1 here]. I discussed a strategy for supporting self-signed certificates with Brian Smith early on in the system e-mail app development cycle. Our conclusion was that it's reasonable to allow you support certificate exceptions, but that adding a certificate should be a very deliberate operation and not something a user should just click through. An especially important factor was that mobile devices are much more likely to add be on sketchy wi-fi where man-in-the-middle attacks are much more likely than traditional desktop-computer-from-a -trusted-home-network situation that Thunderbird traditionally has been used for. We also determined that certificate exceptions should be added from the settings app. This makes it more deliberate, and also allows the very dangerous API operation of adding certificate or an exceptionexceptions is only accessed from one certified app, rather than exposing it to apps like e-mail which are intended to only be privileged. Since that discussion, the browser app is now capable of adding exceptions, but we don't want to make it easy is also one of the most privileged (certified) apps around or likely to doever be around. (asuth, 2013/05/1521).