119 lines
5.6 KiB
Plaintext
119 lines
5.6 KiB
Plaintext
MBOX-Line: From blong at google.com Fri Aug 29 13:53:26 2014
|
|
To: imap-protocol@u.washington.edu
|
|
From: Brandon Long <blong@google.com>
|
|
Date: Fri Jun 8 12:34:53 2018
|
|
Subject: [Imap-protocol] Seeking clarity on Gmail "Access for less
|
|
secure apps" setting for non XOAuth2 access
|
|
In-Reply-To: <5400A146.4020602@mozilla.com>
|
|
References: <5400A146.4020602@mozilla.com>
|
|
Message-ID: <CABa8R6se2WefF4q-cFzR2qtU_5_jDL-wioPF+jPmOTdpCaJhtw@mail.gmail.com>
|
|
|
|
I certainly don't want to treat this list like a Gmail specific list, so it
|
|
hasn't occurred to me to broadcast any of our changes to this list
|
|
specifically.
|
|
|
|
And we did reach out to our larger clients, assuming we knew who they were
|
|
and how to reach out to them.... sending us the ID command is certainly
|
|
helpful in that instance to know who are larger clients are. We also had
|
|
some discussion with Thunderbird, but assumed our fallback was sufficient
|
|
for clients who couldn't really switch to OAUTH. OAUTH2 is not ready for
|
|
Thunderbird at this point, really, since you have to pre-register to get
|
|
your client-id, and then also hard-code the various URLs for usage, as
|
|
there is no auto-discovery yet either. Unfortunately, the bad guys aren't
|
|
waiting for the standards to be written.
|
|
|
|
I assume they didn't post that to the Gmail blog because its more important
|
|
to developers than to Gmail users at large.
|
|
|
|
Our abuse team is handling this, and so I'm not directly involved and don't
|
|
know the specifics to your questions. I'll forward this to them to see
|
|
what we can say.
|
|
|
|
I'm not really sure why the developer docs would link to the "how to avoid
|
|
using this" support page... I guess I can suggest it. I'm also not
|
|
thrilled with the wording on that page, "latest security standards".
|
|
|
|
Also, is the Gaia email app open source as well, ie is it something you can
|
|
reasonably use OAUTH2 with today?
|
|
|
|
Brandon
|
|
|
|
|
|
On Fri, Aug 29, 2014 at 8:50 AM, Andrew Sutherland <asuth@mozilla.com>
|
|
wrote:
|
|
|
|
> The blog post http://googleonlinesecurity.blogspot.de/2014/04/new-
|
|
> security-measures-will-affect-older.html seems to have come to fruition
|
|
> as the "Access for less secure apps" setting as documented at
|
|
> https://support.google.com/accounts/answer/6010255?hl=en (but not
|
|
> particularly hyperlinked to/from many of the other GMail docs.) It sounds
|
|
> like this started happening around July 15th, noting that 2-factor accounts
|
|
> are not affected.
|
|
>
|
|
> For the Firefox OS Gaia Email app we're trying to figure out exactly what
|
|
> the impact of this is and who is affected. It does not seem
|
|
> straightforward because it seems like there are a number of heuristics in
|
|
> play. Specifically, I have observed:
|
|
>
|
|
> - My existing non-2-factor account seems to have been grandfathered so
|
|
> that the setting is enabled.
|
|
>
|
|
> - I just created a brand new non-2-factor gmail account. The Gmail
|
|
> Settings UI indicated IMAP was disabled and the "Access for less secure
|
|
> apps" account security setting was also disabled. I then added the
|
|
> brand-new account in the app and things just magically worked. IMAP got
|
|
> enabled in the gmail UI and "access for less secure apps" also got enabled.
|
|
>
|
|
> I applaud both the effort to protect users and the use of whatever
|
|
> heuristics these are to avoid needlessly inflicting pain on users. However,
|
|
> it does leave me confused what users will be impacted. Is it just GMail
|
|
> users over a certain account age who haven't leveraged PLAIN logins in some
|
|
> number of months? Is it dependent on the suspicious login heuristics? I
|
|
> do know that some testers have run into this problem recently, so it's not
|
|
> imagined.
|
|
>
|
|
> So my questions are these:
|
|
>
|
|
> 1) Is it possible to get a better understanding of what's going on with
|
|
> when the setting will be enforced?
|
|
>
|
|
> 2) Is there some other venue for staying up-to-date with information like
|
|
> this for Gmail? That blog post was somewhat nebulous, didn't get any
|
|
> coverage on a blog I was subscribed to at the time where I would have
|
|
> expected a mention (http://gmailblog.blogspot.com/), and I don't believe
|
|
> it or its contents were directly posted to any of these IMAP standardsy
|
|
> lists. The July 15th thing seemed to be something people just inferred
|
|
> after it happened.
|
|
>
|
|
> 3) Is there some way I can help update documentation/hyperlinks on pages
|
|
> like https://developers.google.com/gmail/xoauth2_protocol (to link to the
|
|
> less secure apps docs)? On https://support.google.com/
|
|
> accounts/answer/6010255?hl=en there is an affordance to say the article
|
|
> is not helpful and provide feedback, but I don't see anything on the
|
|
> developers site.
|
|
>
|
|
>
|
|
> I do want to make it clear that I really appreciate Google/Brandon Long's
|
|
> active participation on this list and I understand how busy everyone
|
|
> involved likely is. I'm also on board with the idea that, like web
|
|
> browsers, email apps/user agents should keep up with the state of the art
|
|
> standards for the benefit/safety/privacy of their users and the health of
|
|
> the net. It's just that having more of an explicit heads up would help us
|
|
> make sure that we prioritize our engineering resources appropriately ahead
|
|
> of time rather than having to do things reactively.
|
|
>
|
|
> Thanks!
|
|
> Andrew
|
|
>
|
|
> PS: The Gaia email app has also been deficient in notifying servers via
|
|
> "ID", if that's the venue I've been missing. Although if so, I'd still
|
|
> argue this list or its friends would also be an appropriate place to post.
|
|
> _______________________________________________
|
|
> Imap-protocol mailing list
|
|
> Imap-protocol@u.washington.edu
|
|
> http://mailman13.u.washington.edu/mailman/listinfo/imap-protocol
|
|
>
|
|
-------------- next part --------------
|
|
An HTML attachment was scrubbed...
|
|
URL: <http://mailman13.u.washington.edu/pipermail/imap-protocol/attachments/20140829/44573899/attachment.html>
|