As a PS to my previous post, I've just noticed that the Wikipedia article on oAuth says: "OAuth 2.0 has had numerous security flaws exposed in implementations.[15] The protocol itself has been described as inherently insecure by security experts and a primary contributor to the specification stated that implementation mistakes are almost inevitable." Doesn't that mean that I would actually more secure, rather than less secure, if I type my password to sign in rather than using oAuth?
Dave On Wednesday, 18 January 2017 16:08:26 UTC, Dave Rado wrote: > > Many thanks, Philip. I'm confused, though. > > First of all, I've just looked up oAuth on Wikipedia and the explanation > of how it works went over my head - I don't understand how it can be > possible for my to authorise access without supplying a password. > > But secondly, whenever I log into Google or Chrome or Gmail, I am asked > for a password - so if Google themselves make me type my password, in order > to sign in, how is that any different from me typing my password in the K-9 > Mail sign-in screen when adding my Gmail account to K-9 Mail? > > Finally and most importantly for me in the short term, are there any > serious risks for me if I choose the setting to turn on on access to "less > secure" apps that Google offered me but said it didn't recommend me to > choose? Or can I safely do this? > > As a follow-up to the last question above, if you do consider that it's > safe to choose this setting but consider that it will be safer still to > change it once K-9 Mail incorporates oAuth, will it be straightforward for > me to change the setting then? I can't see any way to get to webpage where > the setting is, other than by following the link from the email Google sent > me, which won't be a valid link in the long term. > > Dave > > On Wednesday, 18 January 2017 15:54:33 UTC, Philip Whitehouse wrote: >> >> The less-secure sign in means an app that doesn't use OAuth and instead >> require you to provide your password. >> >> I've done some work to support this in K-9 ( >> https://github.com/k9mail/k-9/issues/655). pEp have chosen to merge this >> code, despite the fact it's fairly unfinished. K-9 needs some UI work and >> testing of this feature, that will hopefully land in a future stable >> release. >> >> Other apps may implement the protocol, I'm not sure which though. >> >> - Philip Whitehouse >> >> On Tuesday, 17 January 2017 22:49:41 UTC, Dave Rado wrote: >>> >>> I'm trying to add my recently created Gmail account as a second email >>> account in K-9 Mail, but when I tried to add it, I was prevented from >>> signing in - the sign-in screen said that my password was incorrect, >>> although it wasn't; and a few seconds later I received an email from Google >>> saying: >>> >>> "Google just blocked someone from signing into to your Google account >>> from an app that may put your account at risk." Then if I click the link to >>> confirm that it was me who had tried to sign in, it took me to a webpage >>> that states: "Some apps use less secure sign-in technology which makes your >>> account more vulnerable. You can turn off access for these apps, which we >>> recommend, or turn on access if you want to use them despite the risks." >>> >>> >>> It then gives me the option to turn on access to "less secure" apps (not >>> just to K-9 mail but to *all "*less secure" apps, which I find scary). >>> >>> Interestingly, I was able to add my Gmail account to the stock Android >>> email app without any problems, so presumably that app uses what Google >>> regards as a "more secure sign-in technology" - but I don't like the stock >>> email app, which is why I got K-9 Mail in the first place. >>> >>> Does Google have reasonable grounds for claiming that K-9 Mail "uses a >>> less secure sign-in technology"? Are the risks real or imaginary? And if I >>> select the option to turn on access to *all* less secure apps, am I >>> taking a serious risk? If so, what non-Google email clients for Android are >>> available that use what Google would regard as a "more secure sign-in >>> technology" and which have comparable functionality to K-9 Mail? >>> >>> Dave >>> >> -- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
