First of all, both SSL/TLS and STARTTLS mechanisms are based on the same SSL or TLS protocols. The main difference is:
- With SSL/TLS, the connection starts with the negotiation of the encryption before anything else happens. Only once that has been accomplished, the actual IMAP/POP/SMTP protocol begins.
- With STARTTLS, the connection is initially not encrypted, but then negotiated at the beginning of the IMAP/POP/SMTP protocol before any "real" communication of passwords and data occurs.
Thus, both variants are equally secure. Simplifying, you can think of SSL/TLS as "plain communication over an encrypted channel" and STARTTLS of "encrypted communication over a plain channel."
As for the labels, there were ambiguous in the pre-3.0 versions. SSL and TLS are essentially the same protocol with a different name, and both can be applied for either connection variant. SSL stopped to be called as such with SSL version 3.0; its successor wasn't called SSL 3.1 but TLS 1.0 instead. Then there are the newer TLS 1.1 (thinking of SSL 3.2) and TLS 1.2 (SSL 3.3) versions. Newer Thunderbird releases therefore switch to "SSL/TLS" for the encrypted-connection variant whereas "STARTTLS" stands for the protocol name where the encryption occurs after the connection has been established.
The advantage of STARTTLS is that it doesn't need a dedicated port to connect to (e.g., IMAP works with port 143 for both unsecured and STARTTLS connections whereas SSL/TLS has to use port 993 instead). This allows to determine "on the fly" whether or not encryption should be used, hence the "TLS if available" option. As you pointed out in your #4 item, this indeed meant that you don't know if encryption is actually applied (this was an option for providers which required, for example, that no encryption is used when connecting within their own network, but was required when connecting from an outside location to the same server). Thus, the option has been deprecated. Meaning, your #4 suggestion is happening whenever STARTTLS is selected (i.e., you should get an error message if the server doesn't support STARTTLS).
As for your other questions:
- No per explanation above, unless you've migrated your profile from a pre-3.0 version and had the "TLS if available" option selected there and didn't change it (at least that was still permissible in 3.x, I don't know if it was actually removed entirely with newer versions). It is not possible to select this when setting up a new account with 3.0 or later.
- Thunderbird 17.0.x supports SSL 3.0 and TLS 3.1 versions; Thunderbird 24.0 (coming up in September) should also support TLS 1.1 and TLS 1.2, but those may not be enabled by default.
- I'm not aware of a Page Info style dialog or indicator telling you which version (and which TLS suites or extensions) are used. There is only the generic "lock" symbol in the account icon in the folder list.
- Same as #1, no communication should be performed if STARTTLS is selected but can't be established .
In summary, you should only run into a security risk when selecting no connection security at all and no password encryption either.