On Mon, 19 Aug 2019 10:32:31 +0200 <to...@tuxteam.de> wrote: > On Sun, Aug 18, 2019 at 09:15:45PM -0400, Celejar wrote: > > On Sun, 18 Aug 2019 23:43:35 +0200 > > <to...@tuxteam.de> wrote: > > > > > On Sun, Aug 18, 2019 at 05:19:28PM -0400, Celejar wrote: > > > > On Fri, 16 Aug 2019 10:10:35 +0200 > > [...] > > > I think terming Google's decision to call software that doesn't > > implement OAuth "less secure" "evil" is hyperbole [...] > > This nicely demonstrates my point: OAuth is a HTTP oriented access > delegation protocol. Why should that be at all relevant, e.g. in > the context of IMAP?
>From the Introduction to RFC 6749: ***** In the traditional client-server authentication model, the client requests an access-restricted resource (protected resource) on the server by authenticating with the server using the resource owner's credentials. In order to provide third-party applications access to restricted resources, the resource owner shares its credentials with the third party. This creates several problems and limitations: Third-party applications are required to store the resource owner's credentials for future use, typically a password in clear-text. ... Third-party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources. Resource owners cannot revoke access to an individual third party without revoking access to all third parties, and must do so by changing the third party's password. Compromise of any third-party application results in compromise of the end-user's password and all of the data protected by that password. ***** https://tools.ietf.org/html/rfc6749 You can argue that none of this matters to you, since you trust whatever OSS software you're using, but I stand by what I wrote that it's unfair to term Google's decision to refer to applications that don't implement OAuth "less secure" "evil". > > > In general, > > > > > > - dominance on the server (adwords, visibility in search engines...) > > > and on the client (Chrome/Chromium, Android) side. > > > > I don't consider dominance gained largely through superior > > technology and legitimate means "evil". Undesirable, yes. > > This misses the point. The fact that my favourite news"paper" has to > embed Google trackers in its website to survive economically has nothing > to do with technical superiority and all with market dominance. I was referring to the client side - Chrome / Chromium achieved dominance (particularly on the desktop) largely because they were widely recognized as being more performant than the alternatives. Firefox may be catching up now, but my impression is that for years, both experts as well as laymen often preferred Chrome / Chromium because of its speed. [Note that I have always stuck to Firefox for almost all my browsing, largely because I don't like / trust Google, so we're not as far apart as we might seem.] ... > > > IMO they're far too big. > > > > Agreed, but again, I don't think that makes them "evil". > > Call that what you want. I call this "emergent evil". And I definitely > want it out of my cereal bowl :-) We agree - I want it out of my cereal bowl as well ;) Celejar