53 lines
2.3 KiB
Plaintext
53 lines
2.3 KiB
Plaintext
MBOX-Line: From angel at 16bits.net Fri Aug 29 16:51:03 2014
|
|
To: imap-protocol@u.washington.edu
|
|
From: =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= <angel@16bits.net>
|
|
Date: Fri Jun 8 12:34:53 2018
|
|
Subject: [Imap-protocol] Seeking clarity on Gmail "Access for less
|
|
secure apps" setting for non XOAuth2 access
|
|
In-Reply-To: <CABa8R6se2WefF4q-cFzR2qtU_5_jDL-wioPF+jPmOTdpCaJhtw@mail.gmail.com>
|
|
References: <5400A146.4020602@mozilla.com>
|
|
<CABa8R6se2WefF4q-cFzR2qtU_5_jDL-wioPF+jPmOTdpCaJhtw@mail.gmail.com>
|
|
Message-ID: <1409356263.2096.7.camel@16bits.net>
|
|
|
|
|
|
|
|
Brandon Long wrote:
|
|
> I'm not really sure why the developer docs would link to the "how to
|
|
> avoid using this" support page... I guess I can suggest it. I'm also
|
|
> not thrilled with the wording on that page, "latest security
|
|
> standards".
|
|
|
|
That's definitely confusing. Just talking about "less secure apps"
|
|
without specifying why do you consider them "less secure" is useless.
|
|
When I first read that page I thought it was refering to using a weak
|
|
ciphersuite in TLS (for some definition of "weak").
|
|
|
|
(I did report it on the feedback form, but the page keeps the same
|
|
-other that now there is the ?Allow less secure apps? option- )
|
|
|
|
You need to relate [1] with [2] in order to understand what it is
|
|
talking about
|
|
1-https://support.google.com/accounts/answer/6010255?hl=en
|
|
2-http://googleonlinesecurity.blogspot.de/2014/04/new-security-measures-will-affect-older.html
|
|
|
|
|
|
|
|
>
|
|
> OAUTH2 is not ready for Thunderbird at this point, really, since you
|
|
> have to pre-register to get your client-id, and then also hard-code
|
|
> the various URLs for usage, as there is no auto-discovery yet either.
|
|
> Unfortunately, the bad guys aren't waiting for the standards to be
|
|
> written. Our abuse team is handling this, and so I'm not directly
|
|
> involved and don't know the specifics (...)
|
|
>
|
|
I wonder what/how they are trying to fix. An application-specific
|
|
password can provide the same benefits as OAUTH2* -except for the
|
|
automatic refresh when it expires after 6 months- yet they are only
|
|
available with two-factor authentication.
|
|
* Although with a little more work from the user generating them. For
|
|
feature parity, instead of the program handing an identifying token, the
|
|
user would need to follow a Wizard and choose the MUA they are using
|
|
(with 'other' being unrestricted).
|
|
|
|
|