A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » General XP issues or comments
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Tbird



 
 
Thread Tools Display Modes
  #1  
Old November 12th 18, 11:05 PM posted to microsoft.public.windowsxp.general
OhRats
external usenet poster
 
Posts: 1
Default Tbird

According to GMail, Thunderbird is a less secure app.

What ?

Ads
  #2  
Old November 13th 18, 06:14 AM posted to microsoft.public.windowsxp.general
VanguardLH[_2_]
external usenet poster
 
Posts: 10,881
Default Tbird

OhRats wrote:

According to GMail, Thunderbird is a less secure app.


Make sure the account within Tbird is configured to use OAUTH2. On the
first connect to your account, you need to provide your login
credentials (username and password) whereupon a token is created that is
reused for subsequent connections. It effects a cookie for re-login
much like a stored password. The result of using a token (instead of
stored login credentials within a client) is that the owner of multiple
domains can reuse the token to access their other affiliated domains.
Great, instead of the practice of securing your login credentials by
using different credentials at different sites (so those stolen/hacked
from one site cannot be reused at other common sites trying to hack into
your other accounts), you get "one ring for them all" (Lord of the
Rings, https://en.wikipedia.org/wiki/One_Ring).

https://en.wikipedia.org/wiki/OAuth

Any e-mail client that does not support OAUTH2 is considered insecure by
Google. This is because Google got involved in OAUTH1 but ruined it in
OAUTH2 (by making it easier to implement but less secure than version 1
and also incompatible with version 1).

https://en.wikipedia.org/wiki/OAuth#OAuth_2.0

OAUTH1 was a protocol. OAUTH2 is not a protocol. It is a framework and
why anyone implementing it may come up with their own proprietary
protocol. OAUTH2 became not a security protocol for your connection to
their server but instead a means of identifying (aka fingerprinting) who
is connecting to their server (i.e., authentication via identity versus
authentication via credentials). It's not about securing you. It's
about securing them.

One of the primary authors involved in OAUTH1 left the OAUTH2 project
because he was disgusted how Google mangled the spec for their own
purposes. Here's a video of the main OAUTH editor, Eran Hammer, until
Google got in the way. He apologizes in a video for the **** up that
became OAUTH2 and why it sucks:

https://vimeo.com/52882780
(gee, I wonder why this video isn't at Google's Youtube)

Other e-mail providers embraced OAUTH1 or decided to naively follow
Google and went to OAUTH2. That means you cannot use a local e-mail
client unless it supports OAUTH2 for Google to lie to you about the
client being secure. If your client does not support OAUTH2, you need
to go into the server-side settings for your account to disable the
wrongly described option "allow insecure client". What the option
really does is allow access by non-OAUTH2 clients.

As for Thunderbird and OAUTH2, see:

http://kb.mozillazine.org/Using_Gmai..._Mozilla_Suite

I don't use Thunderbird anymore (after a 6-month trial a couple years
ago, I moved back to MS Outlook), so I don't know if there is an OAUTH2
option for login settings within an account defined within Thunderbird.
From:

https://support.mozilla.org/en-US/questions/1212671
https://prod-cdn.sumo.mozilla.net/up...-28-a70ce8.png

it appears you may need a newer version of Thunderbird than what you
might have to have OAUTH as a login option. However, I didn't see an
OAUTH option after creating the Gmail account, so maybe you have to
delete your old Gmail account and create a new one making sure that
somehow it gets OAUTH support. Perhaps within a Gmail account already
defined in Tbird, the drop-down "Authentication type" list has OAUTH2 as
a choice.
  #3  
Old November 13th 18, 06:20 AM posted to microsoft.public.windowsxp.general
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Tbird

OhRats wrote:
According to GMail, Thunderbird is a less secure app.

What ?


https://support.mozilla.org/en-US/questions/1212671

"Oauth is only available for gmail using IMAP and SMTP.
It is not an option when using POP."


"Helpful Reply

Thunderbird added Oauth2 to version 38 after gmail
deemed everyone but them "less secure apps".
"

Oauth is a web-based authentication method, added
to email which has its own protocols for authentication.
As such, the email developer community was suspicious
of Google intentions.

Using the less secure app setting in your webmail Gmail
setup, helps ensure that regular email applications that
lack Oauth, will work. Based on the above information,
it's possible that a POP3 setup may benefit from such
a setting.

Paul

  #4  
Old November 13th 18, 06:28 AM posted to microsoft.public.windowsxp.general
Ralph Fox
external usenet poster
 
Posts: 474
Default Tbird

On Mon, 12 Nov 2018 14:05:43 -0800, OhRats wrote:

According to GMail, Thunderbird is a less secure app.

What ?



In Thunderbird, change the 'Authentication method' for Gmail to "OAuth2",
in both:
* The Gmail account server settings (assuming it is an IMAP account);
* The outgoing server (SMTP) settings for Gmail

Screen-shot: http://i.imgur.com/dPUg7N3.png


Gmail only says that about Thunderbird because Thunderbird has been
configured to use 'Normal password' authentication instead of 'OAuth2'.

The real insecurity which Gmail is trying to block is not Thunderbird.
It is that when Gmail's servers accept 'Normal password' authentication
the accounts are more likely to get hacked that when they only accept
'OAuth2' authentication.

What Gmail wants you to do is to:
* Turn off 'allow less secure apps', which means Gmail's servers
won't accept 'Normal password' authentication with your Google
account password;
* Configure Thunderbird to use 'OAuth2' authentication which lets you
access your email when 'allow less secure apps' is turned off.



--
Kind regards
Ralph
  #5  
Old November 13th 18, 08:15 AM posted to microsoft.public.windowsxp.general
Ralph Fox
external usenet poster
 
Posts: 474
Default Tbird

On Tue, 13 Nov 2018 00:20:58 -0500, Paul wrote:

Oauth is a web-based authentication method, added
to email which has its own protocols for authentication.


The one-time OAuth2 token generation is web-based, for
which Thunderbird uses its own built-in web client.
This only happens once, at the time you change to OAuth2.

The regular authentication, each time Thunderbird accesses
Gmail, is *not* web-based.


--
Kind regards
Ralph
  #6  
Old November 13th 18, 11:21 AM posted to microsoft.public.windowsxp.general
J. P. Gilliver (John)[_4_]
external usenet poster
 
Posts: 2,679
Default Oauth2 and POP (was: Tbird)

In message , Paul
writes:
OhRats wrote:
According to GMail, Thunderbird is a less secure app.
What ?


https://support.mozilla.org/en-US/questions/1212671

"Oauth is only available for gmail using IMAP and SMTP.
It is not an option when using POP."


"Helpful Reply

Thunderbird added Oauth2 to version 38 after gmail
deemed everyone but them "less secure apps".
"

[]
Is Oauth2 not available at all with POP, or is it only Thunderbird that
doesn't support that combination?

If the combination is not available at all, what does Google (who appear
to be the drivers of Oauth2) have against POP? (I _don't_ want to start
the POP/IMAP wars again; I just want to know what _Google_ have against
POP. Assuming the combination _isn't_ available.)

If you _can_ do Oauth2 with POP, has Mozilla said anything about plans
to add the combination to Thunderbird (assuming I am correctly reading
the above as meaning the combination isn't currently there)?
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

What's awful about weird views is not the views. It's the intolerance. If
someone wants to worship the Duke of Edinburgh or a pineapple, fine. But don't
kill me if I don't agree. - Tim Rice, Radio Times 15-21 October 2011.
  #7  
Old November 14th 18, 09:47 AM posted to microsoft.public.windowsxp.general
Ralph Fox
external usenet poster
 
Posts: 474
Default Oauth2 and POP (was: Tbird)

On Tue, 13 Nov 2018 10:21:10 +0000, J. P. Gilliver (John) wrote:

Is Oauth2 not available at all with POP, or is it only Thunderbird that
doesn't support that combination?

If the combination is not available at all, what does Google (who appear
to be the drivers of Oauth2) have against POP? (I _don't_ want to start
the POP/IMAP wars again; I just want to know what _Google_ have against
POP. Assuming the combination _isn't_ available.)

If you _can_ do Oauth2 with POP, has Mozilla said anything about plans
to add the combination to Thunderbird (assuming I am correctly reading
the above as meaning the combination isn't currently there)?



Gmail is not the only email provider supporting OAuth2.
Other email providers include mail.ru, AOL, and Yahoo.

Gmail supports Oauth2 with IMAP and SMTP but not with POP.
I do not know what is the case with other email providers who
support Oauth2.

Thunderbird does not offer OAuth2 for Gmail POP accounts because
there is no value in offering something which is not going to
work. It would only attract complaints.

I do not know whether your question "Is Oauth2 not available
at all with POP" refers only to Gmail, whether it refers to
other email providers as well, or whether it refers to what is
possible in the POP protocol (whether or not email providers
provide support with POP).



--
Kind regards
Ralph
  #8  
Old November 14th 18, 02:46 PM posted to microsoft.public.windowsxp.general
J. P. Gilliver (John)[_4_]
external usenet poster
 
Posts: 2,679
Default Oauth2 and POP (was: Tbird)

In message , Ralph Fox
writes:
On Tue, 13 Nov 2018 10:21:10 +0000, J. P. Gilliver (John) wrote:

Is Oauth2 not available at all with POP, or is it only Thunderbird that
doesn't support that combination?

If the combination is not available at all, what does Google (who appear
to be the drivers of Oauth2) have against POP? (I _don't_ want to start
the POP/IMAP wars again; I just want to know what _Google_ have against
POP. Assuming the combination _isn't_ available.)

If you _can_ do Oauth2 with POP, has Mozilla said anything about plans
to add the combination to Thunderbird (assuming I am correctly reading
the above as meaning the combination isn't currently there)?



Gmail is not the only email provider supporting OAuth2.
Other email providers include mail.ru, AOL, and Yahoo.


Useful information.

Gmail supports Oauth2 with IMAP and SMTP but not with POP.
I do not know what is the case with other email providers who
support Oauth2.


Fair enough.

Thunderbird does not offer OAuth2 for Gmail POP accounts because
there is no value in offering something which is not going to
work. It would only attract complaints.


That makes sense - _if_ the bar in TB is only for gmail accounts (see
next bit below).

I do not know whether your question "Is Oauth2 not available
at all with POP" refers only to Gmail, whether it refers to
other email providers as well, or whether it refers to what is
possible in the POP protocol (whether or not email providers
provide support with POP).

No, I was asking if there's something in either the Oauth2 protocol (?)
or the POP protocol that prevents them working together. (If they _can_
work together, and it's just gmail who don't accept the combination,
then Mozilla adding the possibility to TB _could_ have a use [perhaps
locking it out for gmail specifically, as as you say that would attract
complaints].)


--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

More people watch live theatre every year than Premier League football
matches. - Libby Purves, RT 2017/9/30-10/6
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 07:04 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.