On 2025-01-06 18:21, L. Mark Stone via mailop wrote:
On Jan 6, 2025, at 6:48 PM, Andrew C Aitchison via mailop
how comfortable are you giving GMail your users' passwords
(sorry, asking your users to share their password with GMail) ?
Andrew, either I’m not understanding or you’ve not thought this through…
If a customer wants a copy of all of their email to be in Gmail, does it
really matter if Gmail has the password to the user’s account?
does the user use the same credentials to pull messages (POP or IMAP)
and to log in to SMTP to send messages?
On 2025-01-06 18:11, Louis via mailop wrote:
> Realistically, it's the same risk as giving the user's password to any
> email client, right? Unless you implement a strict ASP policy for imap/
> pop/smtp, the user is going to be giving out their passwords to email
> clients anyway.
NO IT IS NOT! on so many counts it is not:
(1) one user device storing one set of user credentials is a much less
interesting attack target than the server/infrastructure of a service
provider holding millions of such credentials
(2) conversely, the security applied to the server/infrastructure is
most likely light years ahead of the average user's client device
(3) not all email clients operated on user's devices are the same. some
do stupid things such as saving credentials in plain text. others do
other stupid things such as copying credentials to their owner's cloud
(4) can't control the customer, whether they use Gmail or some local
client, but can certainly control your infrastructure and the risk is
totally different based on how you set up credentials for your own
customers.
Reading this mailing list, sometimes I wonder about best practices...
Yuv
--
Ontario-licensed lawyer
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
