On Mon, 19 Aug 2019 10:32:31 +0200
<to...@tuxteam.de> wrote:

> On Sun, Aug 18, 2019 at 09:15:45PM -0400, Celejar wrote:
> > On Sun, 18 Aug 2019 23:43:35 +0200
> > <to...@tuxteam.de> wrote:
> > 
> > > On Sun, Aug 18, 2019 at 05:19:28PM -0400, Celejar wrote:
> > > > On Fri, 16 Aug 2019 10:10:35 +0200
> [...]
> > I think terming Google's decision to call software that doesn't
> > implement OAuth "less secure" "evil" is hyperbole [...]
> This nicely demonstrates my point: OAuth is a HTTP oriented access
> delegation protocol. Why should that be at all relevant, e.g. in
> the context of IMAP?

>From the Introduction to RFC 6749:


In the traditional client-server authentication model, the client
   requests an access-restricted resource (protected resource) on the
   server by authenticating with the server using the resource owner's
   credentials.  In order to provide third-party applications access to
   restricted resources, the resource owner shares its credentials with
   the third party.  This creates several problems and limitations:

Third-party applications are required to store the resource
      owner's credentials for future use, typically a password in


Third-party applications gain overly broad access to the resource
      owner's protected resources, leaving resource owners without any
      ability to restrict duration or access to a limited subset of

Resource owners cannot revoke access to an individual third party
      without revoking access to all third parties, and must do so by
      changing the third party's password.

Compromise of any third-party application results in compromise of
      the end-user's password and all of the data protected by that



You can argue that none of this matters to you, since you trust
whatever OSS software you're using, but I stand by what I wrote that
it's unfair to term Google's decision to refer to applications that
don't implement OAuth "less secure" "evil".

> > > In general,
> > > 
> > >  - dominance on the server (adwords, visibility in search engines...)
> > >    and on the client (Chrome/Chromium, Android) side.
> > 
> > I don't consider dominance gained largely through superior
> > technology and legitimate means "evil". Undesirable, yes.
> This misses the point. The fact that my favourite news"paper" has to
> embed Google trackers in its website to survive economically has nothing
> to do with technical superiority and all with market dominance.

I was referring to the client side - Chrome / Chromium achieved
dominance (particularly on the desktop) largely because they were
widely recognized as being more performant than the alternatives.
Firefox may be catching up now, but my impression is that for years,
both experts as well as laymen often preferred Chrome / Chromium
because of its speed. [Note that I have always stuck to Firefox for
almost all my browsing, largely because I don't like / trust Google, so
we're not as far apart as we might seem.]


> > > IMO they're far too big.
> > 
> > Agreed, but again, I don't think that makes them "evil".
> Call that what you want. I call this "emergent evil". And I definitely
> want it out of my cereal bowl :-)

We agree - I want it out of my cereal bowl as well ;)


Reply via email to