On 9 Apr 2025, at 11:47, Benny Kjær Nielsen wrote:
> On 9 Apr 2025, at 17:18, Alan Ralph wrote:
>
>> While I kinda-sorta understand why OAuth _might_ be a good thing, from what
>> you've written it sounds like Google is using it primarily for their
>> benefit. It _would_ be mighty convenient if fewer people were using
>> third-party apps to access their Gmail, and opting to access through the
>> browser (ideally Chrome, from Google's viewpoint) or the official Gmail
>> app...
>
> I'm thinking it's a combination of things. Google has probably had more
> problems with misuse of Google accounts in various ways than anyone else, but
> I doubt many of those problems have been related to IMAP/SMTP (other than
> missing 2FA). They had to tighten security for cloud-to-cloud services and
> then maybe native apps became kind of collateral damage in the process. Now
> they won't reverse course and instead we have this security theater. Google
> are the only ones using a “client secret” for OAuth access even though you
> cannot keep that secret from the user.
>
Worth noting—and I'm a security guy—for many people, their email password is
the most valuable one they have, since it's used for password reset on all of
their other accounts.
—Steve Bellovin, https://www.cs.columbia.edu/~smb
_______________________________________________
mailmate mailing list
Unsubscribe: https://lists.freron.com/listinfo/mailmate
