| 1 |
On Thursday 10 Dec 2015 06:51:45 Alan McKinnon wrote: |
| 2 |
> On 10/12/2015 02:08, walt wrote: |
| 3 |
> > On Tue, 8 Dec 2015 19:00:20 +0200 |
| 4 |
> > |
| 5 |
> > Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
| 6 |
> >> Allow me to translate the Google-speak: |
| 7 |
> >> |
| 8 |
> >> "less secure mail app" really means "a really shitty auth method that |
| 9 |
> >> isn't our (Google's) auth method". So click the (rather well-hidden) |
| 10 |
> >> button in Gmail's interface and go back to the really shitty auth |
| 11 |
> >> method we all used just fine for 10+ years already. |
| 12 |
> > |
| 13 |
> > Sounds like it's still grumpy Scotsman day. |
| 14 |
> > |
| 15 |
> > This is a test email to discover if you really have a gmail account, |
| 16 |
> > and, if so, how often you check it for new email. |
| 17 |
> > |
| 18 |
> > I'll be happy to explain the origin of "grumpy Scotsman" if this test |
| 19 |
> > succeeds. |
| 20 |
> |
| 21 |
> Hello walt, |
| 22 |
> |
| 23 |
> Yes it's me and this is a valid account, it's in constant use. |
| 24 |
|
| 25 |
OK, this must be a good 2FA then? ;-) |
| 26 |
|
| 27 |
Walt's test worked for me too. |
| 28 |
|
| 29 |
I wouldn't say that the old auth method is sh*tty as Alan asserts, but Google |
| 30 |
in their wisdom wanted to deal with all sort of new apps authenticating with |
| 31 |
user credentials into their mail servers, without revealing to intermediaries |
| 32 |
(e.g. ISPs, hackers, app server admins) the Google user credentials. They |
| 33 |
could have done this by adding CRAM, SCRAM, et al. in their POP3/IMAP4/SMTP |
| 34 |
authentication, rather than keeping AUTH=PLAIN, but instead they chose to |
| 35 |
follow MSoft's embrace-extend-extinguish strategy by creating their own |
| 36 |
tokenising standard over https. In other words, using time honoured mail |
| 37 |
client protocols alone is not good enough for Google and you have to use a |
| 38 |
browser as well. Of course, we all know how <aheam!> secure browsers are. |
| 39 |
|
| 40 |
The world is changing from classic mail clients and protocols to mobile apps, |
| 41 |
mobile apps running on (proxy) servers in foreign countries and an awful lot |
| 42 |
of bad code, which can be exploited. There may be cleverer ways to resolve |
| 43 |
this problem, while still adhering to mail protocols, but Google has decided |
| 44 |
to move us all to a protocol (http) where they reign supreme. |
| 45 |
-- |
| 46 |
Regards, |
| 47 |
Mick |
Archives