> > The "TLS, if available" option is common to most MUAs and is a serious > security problem. > As is every other mainstream application of TLS/SSL I've ever seen coded into a mainstream application. Don't just pick on Thunderbird for it - applications using TLS/SSL typically make MITM easy by design, rather than difficult. Sit you your faviorite wireless network and MITM your faviorite ssl web sites off it. If your user population is very intelligent, maybe only 9 out of 10 will click the "Windows is annoying me with a box and an OK button - I will click OK to keep going" popup and ignore the certificate mismatch utterly. Otherwise the only hard part will be finding a user that doesn't ignore the mismatch - it's so easy to get passwords this way it isn't even sporting. It's like whacking baby seals with a stick. SSL/TLS applications are just the latest most fertile ground where software designers have put in a crutches for lazy stupid people thereby rendering something kinda ok into something mostly useless. -Bob -- Bob Beck AICT beck@xxxxxxxxxxxxxxxxxxxx University of Alberta if ((not 0 && not 1)!=(!0 && !1)){print "I want what Larry and Tom smoke!\n";}