The SSL Way, and Why Mozilla Needs a Push

Unlike most people, I do (mostly did, but the odd thing still crops up) computer security work. Unlike most of those few, I actually thought about what I was doing and had both the legal and technical background to do it in what I think was a responsible way, so I have no qualms about using security tools.

So, like most people who have ever thought about the consequences of not using minimal security, I'm more than a little reluctant to send unencrypted passwords over the Web, and have studiously avoided using POP3 or IMAP servers without (at the very least APOP or CRAM-MD5 authentication).

(My advice: if your ISP doesn't support encrypted passwords on mail servers, change ISPs. But hey, that's only an opinion - you might not have the option. On with the show.)

But, better still, is SSL support. Even though e-mail bounces around the Internet in the clear, internal e-mail doesn't. So, if you happen to read your internal (or personal, or whatever) e-mail via IMAP, you don't want the latest top secret cooking recipe transmitted over the Internet in clear text (especially not in this gloriously insecure Wi-Fi age).

The Mozilla suite supports encrypted passwords, but (even in Thunderbird) the mail application persists in the brain-dead approach of only supporting plain IMAP (on port 143) or IMAP over SSL (on port 993). That is, it cannot accept connections on port 143 and switch to SSL mode via the STARTTLS command.

That's why I love my Series 60 phone - it supports STARTTLS perfectly, which saves me the trouble to punch another hole in my firewall for port 993 and keeps my chocolate parfait recipe secure. Mitch Kapor has one too - the phone, not the recipe. :)

So, to try and get STARTTLS support working with Mozilla Thunderbird, I looked around, gave the obligatory vote to Bug #60377 and, having given up on becoming a Mozilla hacker and solving my problems that way (yeah, I know, but I have actual paid work to do), I started looking for proxies.

This led me to DeleGate, a rather neat set of stunnel patches (which I'm very partial to, I'm afraid, since I use stunnel for a while now), and Perdition, which I'll be trying to get to work over the next few days:

That is, of course, provided I can actually spare the time. Oh well. And I'm not even going to complain about being as dumb as Mozilla in this regard.

No, most likely I'll just punch that hole at port 993 and be done with it.

No Doom III This Xmas?

Slashdot is running a story that points to Doom III being delayed until 2005. Which is good for two reasons:

  • Carnage and Xmas don't mix (remember the Gremlins movies? Yeuch.)
  • That way I have less pressure to save money for a G5 (every time John Carmack cranks out a new graphics engine, all my hardware becomes obsolete)