wasm-demo/demo/ermis-f/imap-protocol/cur/1600095009.22626.mbox:2,S

53 lines
2.3 KiB
Plaintext

MBOX-Line: From angel at 16bits.net Fri Aug 29 16:51:03 2014
To: imap-protocol@u.washington.edu
From: =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= <angel@16bits.net>
Date: Fri Jun 8 12:34:53 2018
Subject: [Imap-protocol] Seeking clarity on Gmail "Access for less
secure apps" setting for non XOAuth2 access
In-Reply-To: <CABa8R6se2WefF4q-cFzR2qtU_5_jDL-wioPF+jPmOTdpCaJhtw@mail.gmail.com>
References: <5400A146.4020602@mozilla.com>
<CABa8R6se2WefF4q-cFzR2qtU_5_jDL-wioPF+jPmOTdpCaJhtw@mail.gmail.com>
Message-ID: <1409356263.2096.7.camel@16bits.net>
Brandon Long wrote:
> I'm not really sure why the developer docs would link to the "how to
> avoid using this" support page... I guess I can suggest it. I'm also
> not thrilled with the wording on that page, "latest security
> standards".
That's definitely confusing. Just talking about "less secure apps"
without specifying why do you consider them "less secure" is useless.
When I first read that page I thought it was refering to using a weak
ciphersuite in TLS (for some definition of "weak").
(I did report it on the feedback form, but the page keeps the same
-other that now there is the ?Allow less secure apps? option- )
You need to relate [1] with [2] in order to understand what it is
talking about
1-https://support.google.com/accounts/answer/6010255?hl=en
2-http://googleonlinesecurity.blogspot.de/2014/04/new-security-measures-will-affect-older.html
>
> OAUTH2 is not ready for Thunderbird at this point, really, since you
> have to pre-register to get your client-id, and then also hard-code
> the various URLs for usage, as there is no auto-discovery yet either.
> Unfortunately, the bad guys aren't waiting for the standards to be
> written. Our abuse team is handling this, and so I'm not directly
> involved and don't know the specifics (...)
>
I wonder what/how they are trying to fix. An application-specific
password can provide the same benefits as OAUTH2* -except for the
automatic refresh when it expires after 6 months- yet they are only
available with two-factor authentication.
* Although with a little more work from the user generating them. For
feature parity, instead of the program handing an identifying token, the
user would need to follow a Wizard and choose the MUA they are using
(with 'other' being unrestricted).