Confirm
360
edits
Changes
no edit summary
* Connection Security
** Self-signed certificates: '''NO''', unless the certificate is explicitly trusted by gecko or has had an exception created some other way (such as via the web browser). In the past, it was very common to use self-signed certificates because getting a real certificate cost money, and potentially a lot of it. Now, you can get free SSL certificates; at least StartCom provides them [https://www.startssl.com/?app=1 here]. I discussed a strategy for supporting self-signed certificates with Brian Smith early on in the e-mail app development cycle. Our conclusion was that it's reasonable to support certificate exceptions, but that adding a certificate should be a very deliberate operation and not something a user should just click through. An especially important factor was that mobile devices are much more likely to be on sketchy wi-fi where man-in-the-middle attacks are much more likely than traditional desktop-computer-from-a-trusted-home-network situation that Thunderbird traditionally has been used for. We also determined that certificate exceptions should be added from the settings app. This makes it more deliberate, and also allows the very dangerous API operation of adding certificate exceptions is only accessed from one certified app, rather than exposing it to apps like e-mail which are intended to only be privileged. Since that discussion, the browser app is now capable of adding exceptions, but it is also one of the most privileged (certified) apps around or likely to ever be around. (asuth, 2013/05/21)
=== Message Encodings ===
* All sent messages are utf-8 encoded.
* Received encodings / encoding names are:
** Anything supported by the [http://encoding.spec.whatwg.org/ WHATWG Encoding Standard]'s list of [http://encoding.spec.whatwg.org/#encodings encodings]
** A number of aliases we have added that have been observed to exist in the wild either directly by us or which are inherited from other open source code (see revision history and code comments):
*** Our regex transforms can be found here in [https://github.com/mozilla-b2g/gaia-email-libs-and-more/blob/master/data/lib/js-shims/faux-encoding.js faux-encoding.js] currently. The current list (July 2, 2013) is:
**** The prefixes: "latin", "latin-", and "latin_" are mapped to "iso-8859-".
**** The prefixes, which may be optionally followed by "-" or "_": "windows", "win", "ms" are mapped to "windows-"
**** The prefixes: "utf", "utf-", "utf_" are mapped to "utf-"
**** The values: "usascii", "us_ascii" are mapped to "ascii"
*** Our unit tests of the above file's mapping can be found in [https://github.com/mozilla-b2g/gaia-email-libs-and-more/blob/master/test/unit/test_intl_unit.js test_intl_unit.js]
