1 |
On Thursday 10 Dec 2015 06:51:45 Alan McKinnon wrote: |
2 |
> On 10/12/2015 02:08, walt wrote: |
3 |
> > On Tue, 8 Dec 2015 19:00:20 +0200 |
4 |
> > |
5 |
> > Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
6 |
> >> Allow me to translate the Google-speak: |
7 |
> >> |
8 |
> >> "less secure mail app" really means "a really shitty auth method that |
9 |
> >> isn't our (Google's) auth method". So click the (rather well-hidden) |
10 |
> >> button in Gmail's interface and go back to the really shitty auth |
11 |
> >> method we all used just fine for 10+ years already. |
12 |
> > |
13 |
> > Sounds like it's still grumpy Scotsman day. |
14 |
> > |
15 |
> > This is a test email to discover if you really have a gmail account, |
16 |
> > and, if so, how often you check it for new email. |
17 |
> > |
18 |
> > I'll be happy to explain the origin of "grumpy Scotsman" if this test |
19 |
> > succeeds. |
20 |
> |
21 |
> Hello walt, |
22 |
> |
23 |
> Yes it's me and this is a valid account, it's in constant use. |
24 |
|
25 |
OK, this must be a good 2FA then? ;-) |
26 |
|
27 |
Walt's test worked for me too. |
28 |
|
29 |
I wouldn't say that the old auth method is sh*tty as Alan asserts, but Google |
30 |
in their wisdom wanted to deal with all sort of new apps authenticating with |
31 |
user credentials into their mail servers, without revealing to intermediaries |
32 |
(e.g. ISPs, hackers, app server admins) the Google user credentials. They |
33 |
could have done this by adding CRAM, SCRAM, et al. in their POP3/IMAP4/SMTP |
34 |
authentication, rather than keeping AUTH=PLAIN, but instead they chose to |
35 |
follow MSoft's embrace-extend-extinguish strategy by creating their own |
36 |
tokenising standard over https. In other words, using time honoured mail |
37 |
client protocols alone is not good enough for Google and you have to use a |
38 |
browser as well. Of course, we all know how <aheam!> secure browsers are. |
39 |
|
40 |
The world is changing from classic mail clients and protocols to mobile apps, |
41 |
mobile apps running on (proxy) servers in foreign countries and an awful lot |
42 |
of bad code, which can be exploited. There may be cleverer ways to resolve |
43 |
this problem, while still adhering to mail protocols, but Google has decided |
44 |
to move us all to a protocol (http) where they reign supreme. |
45 |
-- |
46 |
Regards, |
47 |
Mick |