SSL,TLS, POODLE, email, Fastmail, Popcorn and me

I pay for my email service. Experience has shown that there are things worth paying for and, to me, email is one of them. I find technical competence (no more ISP-provided email, thank you), a web interface that is less confusing than Gmail and technical support worth paying for.

Today, when I could not read or send email using my favorite email client, I thought I would be dealing with technical support. To my surprise, I ran into the technical competence instead.

The email client was Popcorn. It runs on Windows XP and later, and provides outstanding security. By and large it does this by being simple; addition by subtraction, if you will. To make an analogy, Popcorn is akin to the Sumatra PDF reader, whereas Outlook and Thunderbird are full-fledged beasts like the Adobe Reader.

popcorn.discontinued

Popcorn is a niche product, to say the least. It never got much publicity. The software is small and portable. There used to be free and paid editions but development (by Ultrafunk) was officially discontinued in 2010. The last software update was in 2012.

Much of the safety derives from the fact that Popcorn is plain text only; no HTML, no pictures. Because it doesn't support HTML, the target of links are shown in plain text, as illustrated below. 

popcorn.url.asplaintext3

Because it doesn't support JavaScript, inline scripts also display as plain text. The script below, generates another script. Neither runs in Popcorn.

popcorn.javascript.as.text.620w

I use Popcorn to pre-process my email. It safely displays the junk and scam messages, which I delete, before consuming the good messages with more full-featured software.

I have been using Popcorn for a very long time. It came out in 1998, but I'm not sure when I became aware of it. 

The software was created before anyone cared about encrypted access to email servers. At some point, SSL was added as an option, but you had to download a pair of DLLs (they were not included with the software) and re-configure the program. Needless to say, I did.

And that's where things stood, year after year after year. Until today when I got my first Popcorn error, shown below.

popcorn.email.failure

The server mail.messagingengine.com belongs to Fastmail. I was about to contact their tech support when it dawned on me that they caused the problem. On purpose.

BIG PICTURE

We often refer to the worlds most popular encryption standard as SSL, but SSL was replaced by a newer standard, TLS, back in 1999. The name however, stuck.

Also sticking around was the last version of SSL, version 3, despite its being considered obsolete for over a decade.

Yesterdays announced POODLE flaw is in SSL version 3. The newer TLS is fine.

To finally rid the Internet of the ancient SSLv3 requires action both on the part of clients and servers.

The most popular clients, web browsers, are all making plans to remove support for SSLv3. All except for Apple which, as usual, has no comment about Safari. If you want to disable SSLv3 in your web browser now, there are configuration tweaks for Chrome, Firefox and Internet Explorer. 

On the server side, Cloudflare disabled SSLv3 by default. Realizing this may break something, they provided a way for their clients to re-enable it, if need be.

MY PROBLEM

All of which leads to my Popcorn email error. 

popcorn.email.failure

Fastmail disabled SSLv3 today in reaction to yesterdays POODLE flaw. Being ancient, Popcorn was still using SSLv3.

It turns out that Popcorn gained support for TLS in July 2012. But thinking that the software was abandoned, I had not checked for updates in a long time.

That's the good news. The bad news is that Popcorn only supports TLS for sending email, not for reading. But, like Cloudflare, Fastmail provides a way for their clients to continue using SSLv3. From what I have seen, the POODLE flaw is not that big a deal, so I feel comfortable continuing to use SSLv3 for reading email.

The last version of Popcorn (1.99.3) is still available at assorted Windows software download sites. Pre-processing email takes a bit more effort, but that's the price of Defensive Computing.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Related:
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.