If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Tbird
According to GMail, Thunderbird is a less secure app.
What ? |
Ads |
#2
|
|||
|
|||
Tbird
OhRats wrote:
According to GMail, Thunderbird is a less secure app. Make sure the account within Tbird is configured to use OAUTH2. On the first connect to your account, you need to provide your login credentials (username and password) whereupon a token is created that is reused for subsequent connections. It effects a cookie for re-login much like a stored password. The result of using a token (instead of stored login credentials within a client) is that the owner of multiple domains can reuse the token to access their other affiliated domains. Great, instead of the practice of securing your login credentials by using different credentials at different sites (so those stolen/hacked from one site cannot be reused at other common sites trying to hack into your other accounts), you get "one ring for them all" (Lord of the Rings, https://en.wikipedia.org/wiki/One_Ring). https://en.wikipedia.org/wiki/OAuth Any e-mail client that does not support OAUTH2 is considered insecure by Google. This is because Google got involved in OAUTH1 but ruined it in OAUTH2 (by making it easier to implement but less secure than version 1 and also incompatible with version 1). https://en.wikipedia.org/wiki/OAuth#OAuth_2.0 OAUTH1 was a protocol. OAUTH2 is not a protocol. It is a framework and why anyone implementing it may come up with their own proprietary protocol. OAUTH2 became not a security protocol for your connection to their server but instead a means of identifying (aka fingerprinting) who is connecting to their server (i.e., authentication via identity versus authentication via credentials). It's not about securing you. It's about securing them. One of the primary authors involved in OAUTH1 left the OAUTH2 project because he was disgusted how Google mangled the spec for their own purposes. Here's a video of the main OAUTH editor, Eran Hammer, until Google got in the way. He apologizes in a video for the **** up that became OAUTH2 and why it sucks: https://vimeo.com/52882780 (gee, I wonder why this video isn't at Google's Youtube) Other e-mail providers embraced OAUTH1 or decided to naively follow Google and went to OAUTH2. That means you cannot use a local e-mail client unless it supports OAUTH2 for Google to lie to you about the client being secure. If your client does not support OAUTH2, you need to go into the server-side settings for your account to disable the wrongly described option "allow insecure client". What the option really does is allow access by non-OAUTH2 clients. As for Thunderbird and OAUTH2, see: http://kb.mozillazine.org/Using_Gmai..._Mozilla_Suite I don't use Thunderbird anymore (after a 6-month trial a couple years ago, I moved back to MS Outlook), so I don't know if there is an OAUTH2 option for login settings within an account defined within Thunderbird. From: https://support.mozilla.org/en-US/questions/1212671 https://prod-cdn.sumo.mozilla.net/up...-28-a70ce8.png it appears you may need a newer version of Thunderbird than what you might have to have OAUTH as a login option. However, I didn't see an OAUTH option after creating the Gmail account, so maybe you have to delete your old Gmail account and create a new one making sure that somehow it gets OAUTH support. Perhaps within a Gmail account already defined in Tbird, the drop-down "Authentication type" list has OAUTH2 as a choice. |
#3
|
|||
|
|||
Tbird
OhRats wrote:
According to GMail, Thunderbird is a less secure app. What ? https://support.mozilla.org/en-US/questions/1212671 "Oauth is only available for gmail using IMAP and SMTP. It is not an option when using POP." "Helpful Reply Thunderbird added Oauth2 to version 38 after gmail deemed everyone but them "less secure apps". " Oauth is a web-based authentication method, added to email which has its own protocols for authentication. As such, the email developer community was suspicious of Google intentions. Using the less secure app setting in your webmail Gmail setup, helps ensure that regular email applications that lack Oauth, will work. Based on the above information, it's possible that a POP3 setup may benefit from such a setting. Paul |
#4
|
|||
|
|||
Tbird
On Mon, 12 Nov 2018 14:05:43 -0800, OhRats wrote:
According to GMail, Thunderbird is a less secure app. What ? In Thunderbird, change the 'Authentication method' for Gmail to "OAuth2", in both: * The Gmail account server settings (assuming it is an IMAP account); * The outgoing server (SMTP) settings for Gmail Screen-shot: http://i.imgur.com/dPUg7N3.png Gmail only says that about Thunderbird because Thunderbird has been configured to use 'Normal password' authentication instead of 'OAuth2'. The real insecurity which Gmail is trying to block is not Thunderbird. It is that when Gmail's servers accept 'Normal password' authentication the accounts are more likely to get hacked that when they only accept 'OAuth2' authentication. What Gmail wants you to do is to: * Turn off 'allow less secure apps', which means Gmail's servers won't accept 'Normal password' authentication with your Google account password; * Configure Thunderbird to use 'OAuth2' authentication which lets you access your email when 'allow less secure apps' is turned off. -- Kind regards Ralph |
#5
|
|||
|
|||
Tbird
On Tue, 13 Nov 2018 00:20:58 -0500, Paul wrote:
Oauth is a web-based authentication method, added to email which has its own protocols for authentication. The one-time OAuth2 token generation is web-based, for which Thunderbird uses its own built-in web client. This only happens once, at the time you change to OAuth2. The regular authentication, each time Thunderbird accesses Gmail, is *not* web-based. -- Kind regards Ralph |
#6
|
|||
|
|||
Oauth2 and POP (was: Tbird)
In message , Paul
writes: OhRats wrote: According to GMail, Thunderbird is a less secure app. What ? https://support.mozilla.org/en-US/questions/1212671 "Oauth is only available for gmail using IMAP and SMTP. It is not an option when using POP." "Helpful Reply Thunderbird added Oauth2 to version 38 after gmail deemed everyone but them "less secure apps". " [] Is Oauth2 not available at all with POP, or is it only Thunderbird that doesn't support that combination? If the combination is not available at all, what does Google (who appear to be the drivers of Oauth2) have against POP? (I _don't_ want to start the POP/IMAP wars again; I just want to know what _Google_ have against POP. Assuming the combination _isn't_ available.) If you _can_ do Oauth2 with POP, has Mozilla said anything about plans to add the combination to Thunderbird (assuming I am correctly reading the above as meaning the combination isn't currently there)? -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf What's awful about weird views is not the views. It's the intolerance. If someone wants to worship the Duke of Edinburgh or a pineapple, fine. But don't kill me if I don't agree. - Tim Rice, Radio Times 15-21 October 2011. |
#7
|
|||
|
|||
Oauth2 and POP (was: Tbird)
On Tue, 13 Nov 2018 10:21:10 +0000, J. P. Gilliver (John) wrote:
Is Oauth2 not available at all with POP, or is it only Thunderbird that doesn't support that combination? If the combination is not available at all, what does Google (who appear to be the drivers of Oauth2) have against POP? (I _don't_ want to start the POP/IMAP wars again; I just want to know what _Google_ have against POP. Assuming the combination _isn't_ available.) If you _can_ do Oauth2 with POP, has Mozilla said anything about plans to add the combination to Thunderbird (assuming I am correctly reading the above as meaning the combination isn't currently there)? Gmail is not the only email provider supporting OAuth2. Other email providers include mail.ru, AOL, and Yahoo. Gmail supports Oauth2 with IMAP and SMTP but not with POP. I do not know what is the case with other email providers who support Oauth2. Thunderbird does not offer OAuth2 for Gmail POP accounts because there is no value in offering something which is not going to work. It would only attract complaints. I do not know whether your question "Is Oauth2 not available at all with POP" refers only to Gmail, whether it refers to other email providers as well, or whether it refers to what is possible in the POP protocol (whether or not email providers provide support with POP). -- Kind regards Ralph |
#8
|
|||
|
|||
Oauth2 and POP (was: Tbird)
In message , Ralph Fox
writes: On Tue, 13 Nov 2018 10:21:10 +0000, J. P. Gilliver (John) wrote: Is Oauth2 not available at all with POP, or is it only Thunderbird that doesn't support that combination? If the combination is not available at all, what does Google (who appear to be the drivers of Oauth2) have against POP? (I _don't_ want to start the POP/IMAP wars again; I just want to know what _Google_ have against POP. Assuming the combination _isn't_ available.) If you _can_ do Oauth2 with POP, has Mozilla said anything about plans to add the combination to Thunderbird (assuming I am correctly reading the above as meaning the combination isn't currently there)? Gmail is not the only email provider supporting OAuth2. Other email providers include mail.ru, AOL, and Yahoo. Useful information. Gmail supports Oauth2 with IMAP and SMTP but not with POP. I do not know what is the case with other email providers who support Oauth2. Fair enough. Thunderbird does not offer OAuth2 for Gmail POP accounts because there is no value in offering something which is not going to work. It would only attract complaints. That makes sense - _if_ the bar in TB is only for gmail accounts (see next bit below). I do not know whether your question "Is Oauth2 not available at all with POP" refers only to Gmail, whether it refers to other email providers as well, or whether it refers to what is possible in the POP protocol (whether or not email providers provide support with POP). No, I was asking if there's something in either the Oauth2 protocol (?) or the POP protocol that prevents them working together. (If they _can_ work together, and it's just gmail who don't accept the combination, then Mozilla adding the possibility to TB _could_ have a use [perhaps locking it out for gmail specifically, as as you say that would attract complaints].) -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf More people watch live theatre every year than Premier League football matches. - Libby Purves, RT 2017/9/30-10/6 |
Thread Tools | |
Display Modes | |
|
|