77 lines
3.6 KiB
Plaintext
77 lines
3.6 KiB
Plaintext
MBOX-Line: From asuth at mozilla.com Fri Aug 29 08:50:30 2014
|
|
To: imap-protocol@u.washington.edu
|
|
From: Andrew Sutherland <asuth@mozilla.com>
|
|
Date: Fri Jun 8 12:34:53 2018
|
|
Subject: [Imap-protocol] Seeking clarity on Gmail "Access for less secure
|
|
apps" setting for non XOAuth2 access
|
|
Message-ID: <5400A146.4020602@mozilla.com>
|
|
|
|
The blog post
|
|
http://googleonlinesecurity.blogspot.de/2014/04/new-security-measures-will-affect-older.html
|
|
seems to have come to fruition as the "Access for less secure apps"
|
|
setting as documented at
|
|
https://support.google.com/accounts/answer/6010255?hl=en (but not
|
|
particularly hyperlinked to/from many of the other GMail docs.) It
|
|
sounds like this started happening around July 15th, noting that
|
|
2-factor accounts are not affected.
|
|
|
|
For the Firefox OS Gaia Email app we're trying to figure out exactly
|
|
what the impact of this is and who is affected. It does not seem
|
|
straightforward because it seems like there are a number of heuristics
|
|
in play. Specifically, I have observed:
|
|
|
|
- My existing non-2-factor account seems to have been grandfathered so
|
|
that the setting is enabled.
|
|
|
|
- I just created a brand new non-2-factor gmail account. The Gmail
|
|
Settings UI indicated IMAP was disabled and the "Access for less secure
|
|
apps" account security setting was also disabled. I then added the
|
|
brand-new account in the app and things just magically worked. IMAP got
|
|
enabled in the gmail UI and "access for less secure apps" also got enabled.
|
|
|
|
I applaud both the effort to protect users and the use of whatever
|
|
heuristics these are to avoid needlessly inflicting pain on users.
|
|
However, it does leave me confused what users will be impacted. Is it
|
|
just GMail users over a certain account age who haven't leveraged PLAIN
|
|
logins in some number of months? Is it dependent on the suspicious
|
|
login heuristics? I do know that some testers have run into this
|
|
problem recently, so it's not imagined.
|
|
|
|
So my questions are these:
|
|
|
|
1) Is it possible to get a better understanding of what's going on with
|
|
when the setting will be enforced?
|
|
|
|
2) Is there some other venue for staying up-to-date with information
|
|
like this for Gmail? That blog post was somewhat nebulous, didn't get
|
|
any coverage on a blog I was subscribed to at the time where I would
|
|
have expected a mention (http://gmailblog.blogspot.com/), and I don't
|
|
believe it or its contents were directly posted to any of these IMAP
|
|
standardsy lists. The July 15th thing seemed to be something people
|
|
just inferred after it happened.
|
|
|
|
3) Is there some way I can help update documentation/hyperlinks on pages
|
|
like https://developers.google.com/gmail/xoauth2_protocol (to link to
|
|
the less secure apps docs)? On
|
|
https://support.google.com/accounts/answer/6010255?hl=en there is an
|
|
affordance to say the article is not helpful and provide feedback, but I
|
|
don't see anything on the developers site.
|
|
|
|
|
|
I do want to make it clear that I really appreciate Google/Brandon
|
|
Long's active participation on this list and I understand how busy
|
|
everyone involved likely is. I'm also on board with the idea that, like
|
|
web browsers, email apps/user agents should keep up with the state of
|
|
the art standards for the benefit/safety/privacy of their users and the
|
|
health of the net. It's just that having more of an explicit heads up
|
|
would help us make sure that we prioritize our engineering resources
|
|
appropriately ahead of time rather than having to do things reactively.
|
|
|
|
Thanks!
|
|
Andrew
|
|
|
|
PS: The Gaia email app has also been deficient in notifying servers via
|
|
"ID", if that's the venue I've been missing. Although if so, I'd still
|
|
argue this list or its friends would also be an appropriate place to post.
|
|
|