meli
/
wasm-demo
4
Fork 0
Code Issues Pull Requests Releases Wiki Activity
wasm-demo/demo/ermis-f/imap-protocol/cur/1600095007.22626.mbox:2,S

119 lines
5.6 KiB
Plaintext
Raw Permalink Blame History

MBOX-Line: From blong at google.com Fri Aug 29 13:53:26 2014
To: imap-protocol@u.washington.edu
From: Brandon Long <blong@google.com>
Date: Fri Jun 8 12:34:53 2018
Subject: [Imap-protocol] Seeking clarity on Gmail "Access for less
secure apps" setting for non XOAuth2 access
In-Reply-To: <5400A146.4020602@mozilla.com>
References: <5400A146.4020602@mozilla.com>
Message-ID: <CABa8R6se2WefF4q-cFzR2qtU_5_jDL-wioPF+jPmOTdpCaJhtw@mail.gmail.com>
I certainly don't want to treat this list like a Gmail specific list, so it
hasn't occurred to me to broadcast any of our changes to this list
specifically.
And we did reach out to our larger clients, assuming we knew who they were
and how to reach out to them.... sending us the ID command is certainly
helpful in that instance to know who are larger clients are. We also had
some discussion with Thunderbird, but assumed our fallback was sufficient
for clients who couldn't really switch to OAUTH. OAUTH2 is not ready for
Thunderbird at this point, really, since you have to pre-register to get
your client-id, and then also hard-code the various URLs for usage, as
there is no auto-discovery yet either. Unfortunately, the bad guys aren't
waiting for the standards to be written.
I assume they didn't post that to the Gmail blog because its more important
to developers than to Gmail users at large.
Our abuse team is handling this, and so I'm not directly involved and don't
know the specifics to your questions. I'll forward this to them to see
what we can say.
I'm not really sure why the developer docs would link to the "how to avoid
using this" support page... I guess I can suggest it. I'm also not
thrilled with the wording on that page, "latest security standards".
Also, is the Gaia email app open source as well, ie is it something you can
reasonably use OAUTH2 with today?
Brandon
On Fri, Aug 29, 2014 at 8:50 AM, Andrew Sutherland <asuth@mozilla.com>
wrote:
> The blog post http://googleonlinesecurity.blogspot.de/2014/04/new-
> security-measures-will-affect-older.html seems to have come to fruition
> as the "Access for less secure apps" setting as documented at
> https://support.google.com/accounts/answer/6010255?hl=en (but not
> particularly hyperlinked to/from many of the other GMail docs.) It sounds
> like this started happening around July 15th, noting that 2-factor accounts
> are not affected.
>
> For the Firefox OS Gaia Email app we're trying to figure out exactly what
> the impact of this is and who is affected. It does not seem
> straightforward because it seems like there are a number of heuristics in
> play. Specifically, I have observed:
>
> - My existing non-2-factor account seems to have been grandfathered so
> that the setting is enabled.
>
> - I just created a brand new non-2-factor gmail account. The Gmail
> Settings UI indicated IMAP was disabled and the "Access for less secure
> apps" account security setting was also disabled. I then added the
> brand-new account in the app and things just magically worked. IMAP got
> enabled in the gmail UI and "access for less secure apps" also got enabled.
>
> I applaud both the effort to protect users and the use of whatever
> heuristics these are to avoid needlessly inflicting pain on users. However,
> it does leave me confused what users will be impacted. Is it just GMail
> users over a certain account age who haven't leveraged PLAIN logins in some
> number of months? Is it dependent on the suspicious login heuristics? I
> do know that some testers have run into this problem recently, so it's not
> imagined.
>
> So my questions are these:
>
> 1) Is it possible to get a better understanding of what's going on with
> when the setting will be enforced?
>
> 2) Is there some other venue for staying up-to-date with information like
> this for Gmail? That blog post was somewhat nebulous, didn't get any
> coverage on a blog I was subscribed to at the time where I would have
> expected a mention (http://gmailblog.blogspot.com/), and I don't believe
> it or its contents were directly posted to any of these IMAP standardsy
> lists. The July 15th thing seemed to be something people just inferred
> after it happened.
>
> 3) Is there some way I can help update documentation/hyperlinks on pages
> like https://developers.google.com/gmail/xoauth2_protocol (to link to the
> less secure apps docs)? On https://support.google.com/
> accounts/answer/6010255?hl=en there is an affordance to say the article
> is not helpful and provide feedback, but I don't see anything on the
> developers site.
>
>
> I do want to make it clear that I really appreciate Google/Brandon Long's
> active participation on this list and I understand how busy everyone
> involved likely is. I'm also on board with the idea that, like web
> browsers, email apps/user agents should keep up with the state of the art
> standards for the benefit/safety/privacy of their users and the health of
> the net. It's just that having more of an explicit heads up would help us
> make sure that we prioritize our engineering resources appropriately ahead
> of time rather than having to do things reactively.
>
> Thanks!
> Andrew
>
> PS: The Gaia email app has also been deficient in notifying servers via
> "ID", if that's the venue I've been missing. Although if so, I'd still
> argue this list or its friends would also be an appropriate place to post.
> _______________________________________________
> Imap-protocol mailing list
> Imap-protocol@u.washington.edu
> http://mailman13.u.washington.edu/mailman/listinfo/imap-protocol
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman13.u.washington.edu/pipermail/imap-protocol/attachments/20140829/44573899/attachment.html>
Reference in New Issue View Git Blame Copy Permalink