Oauth2, GMail, and Thunderbird

mechanic wrote:

What's insecure about using TCL/SSL for transmission and the usual
account name/password to access IMAP?

Nothing, unless you're name is google.

This OAuth2 stuff seems
targeted at HTML APIs.

yep.

On 11/29/18 10:38 AM, T wrote:

[snip]

I support Thunderbird.Â* I see this all the time.Â* I just ignore them.
Some customers don't seem to get bothered by this and some do, so
I can't put my finger on it.

I'm going to do that (ignore the messages) too. It's really a VERY small
problem compared to the other spam I have to deal with.

[snip]

--
25 days until the winter celebration (Tue Dec 25, 2018 12:00:00 AM for 1
day).

Mark Lloyd
http://notstupid.us/

"All your western theologies, the whole mythology of them, are based on
the concept of God as a senile delinquent." -- Tennessee Williams

On Fri, 30 Nov 2018 06:16:14 +1300, Ralph Fox
wrote:
snip
2. The OAuth2 setting allows you to keep using Thunderbird
with Gmail when "allow less secure apps" is turned off.
snip

I tried it and what Ralph wrote above is correct. I told GMail to
turn "allow less secure apps" off and both Thunderbird and iOS mail
continue to work normally. The help link in another post which said
Outlook and Thunderbird were examples of apps using insecure access
methods must be out of date. Apparently, Thunderbird has been updated
since that was written to use what google considers acceptable. (I
didn't try Outlook since I no longer use it myself, but I think it was
Outlook that made me enable "allow less secure apps" a few years ago.)

Thanks,
Pat



snip

On 30/11/2018 13.32, Pat wrote:
On Thu, 29 Nov 2018 23:14:49 +0100, "Carlos E.R."
wrote:

On 29/11/2018 14.25, Pat wrote:
In another thread, someone mentioned that enabling OAuth2 in
Thunderbird made Google happy (ie, fewer security warnings received).

I use Thunderbird to access my GMail account via IMAP. I
occassionally get a warning from GMail that my account is more
vulnerable to attacks because I have a less secure access method
enabled. I ignore those warnings because I thought that was necessary
in order to receive mail via IMAP. But, the OAuth2 comment in the
other thread made me question that. I checked my settings and found I
am using OAuth2 in Thunderbird. However, I am still getting the
warnings from Google that I am less secure than I need to be. They
give me a single "Fix this" button but no technical explanation of
what that will do. If I press that button, will IMAP still work?
(Note that I also access my gmail account from an iOS phone so that
needs to continue working, too. Finally, I use Thunderbird to access
accounts on a number of different servers and accounts, so I have no
desire to switch to GMail's web interface or their iOS app. I like
having all my eamil come to one place - Thunderbird on my PC and
Apple's Mail app on the phone.) Any advice is appreciated.

What google wants is you disable "less secure" connections at their web
page. At the server side, not at you client side.
I understand.

If you only use "approved" applications on all your devices, then you
can do it. Else ignore the message.
But, are the latest iOS mail app (not the gmail specific iOS app) and
the latest Thunderbird windows build "approved applications"? I guess
I need to try it and find out.

Thunderbird is, when using oauth2. The tools I use to fetch mail in
background without user intervention are not.

A developer told me that non interactive applications (daemons) can not
implement it.

I believe the oauth2 implementation in Thunderbird uses javascript, thus
when there is a problem it can present you a dialog somewhat similar to
a web page or with visual elements or something.

Take all that with a pinch of salt, I can not be accurate; using some
hearsay :-}

--
Cheers, Carlos.

On 30/11/2018 20.33, Andy Burns wrote:
mechanic wrote:

What's insecure about using TCL/SSL for transmission and the usual
account name/password to access IMAP?

Nothing, unless you're name is google.

It would be more secure using a pair of certificates, which is a
standard method that other mail programs support, but google doesn't.


This OAuth2 stuff seems
targeted at HTML APIs.

yep.

marketing.

--
Cheers, Carlos.

On 30/11/2018 21.13, Pat wrote:
On Fri, 30 Nov 2018 06:16:14 +1300, Ralph Fox
wrote:
snip
2. The OAuth2 setting allows you to keep using Thunderbird
with Gmail when "allow less secure apps" is turned off.
snip

I tried it and what Ralph wrote above is correct. I told GMail to
turn "allow less secure apps" off and both Thunderbird and iOS mail
continue to work normally. The help link in another post which said
Outlook and Thunderbird were examples of apps using insecure access
methods must be out of date. Apparently, Thunderbird has been updated
since that was written to use what google considers acceptable. (I
didn't try Outlook since I no longer use it myself, but I think it was
Outlook that made me enable "allow less secure apps" a few years ago.)

No, we have been saying all the time that Thunderbird was considered
secure from the start *when using Oauth2*.

Google does not consider Thunderbird secure when it uses, say, starttls.

So, it is not the program, but the method selected.

--
Cheers, Carlos.

On 12/2/18 4:58 AM, Carlos E.R. wrote:
On 30/11/2018 21.13, Pat wrote:
On Fri, 30 Nov 2018 06:16:14 +1300, Ralph Fox
wrote:
snip
2. The OAuth2 setting allows you to keep using Thunderbird
with Gmail when "allow less secure apps" is turned off.
snip

I tried it and what Ralph wrote above is correct. I told GMail to
turn "allow less secure apps" off and both Thunderbird and iOS mail
continue to work normally. The help link in another post which said
Outlook and Thunderbird were examples of apps using insecure access
methods must be out of date. Apparently, Thunderbird has been updated
since that was written to use what google considers acceptable. (I
didn't try Outlook since I no longer use it myself, but I think it was
Outlook that made me enable "allow less secure apps" a few years ago.)

No, we have been saying all the time that Thunderbird was considered
secure from the start *when using Oauth2*.

Google does not consider Thunderbird secure when it uses, say, starttls.

So, it is not the program, but the method selected.


Just installed a M$O 2019. Try as I may, there was no Oauth2
anywhere in Outlook 2019. Hmmmmmmmmmmm .... Couldn't talk
the customer into Thunderbird. Did not want to learn anything
new. At least I got him on iMap.