Yes, I agree with you. Google has a lot of work to do in the security department.
-- Jesse On Wed, Feb 4, 2009 at 2:32 AM, Kinny Cheng <[email protected]> wrote: > Thanks for the insight, Jesse. > It makes sense that this seems to be what's happening at the moment. But > the fact is, it makes no sense whatsoever to cache authentication for > accounts other than the one with the offline access enabled. > > And the theory of "allowing Offline access for one, it is on for all" > doesn't fly either. > > Imagine: if I shared a computer with the family, and where everyone has > their own Gmail account/s, this would mean granting me full access to all > those accounts without me even having to enter in a password, which is > usually required. > > I agree with Ruben, that Gmail seems to have overlooked the security > implications of offline Gmail access. > > > 2009/2/4 Jesse Read <[email protected]> > > While I am no GMail engineer (or any Google dev at all) I would think that >> based on the way Gears works (via WebKit I believe, hence you only need to >> install it via on app and it is available to all WebKit based apps) if you >> allow Offline access for one, it is on all - at least in terms of cached >> authentication. >> I may be wrong though, in fact I probably am. Ruben should be able to get >> more insight. >> >> -- Jesse >> >> >> >> On Tue, Feb 3, 2009 at 1:58 PM, Kinny Cheng <[email protected]> wrote: >> >>> Hi Ruben, >>> I'm not sure if I understand you correctly. But... >>> >>> I remember you mentioning previously that passwords are now saved for >>>>> accounts that use Offline Gmail - meaning that, even if I didn't choose to >>>>> store my password in Mailplane, Google Gears would still do this anyway? >>>>> >>>> >>>> If you enabled the "Store password in Keychain" setting, passwords are >>>> only stored in the keychain. What Gmail stores is a session cookie, it >>>> doens't contain any username/password. It is used by Gmail to communicate >>>> with their servers. >>>> >>> >>> I did not elect to have any of my Gmail passwords stored to my keychain. >>> This is because I would prefer to enter my password each time I access a >>> specific Gmail account, per Mailplane session. >>> >>> I am okay with being able to switch between the different accounts freely >>> after I've done the initial authentication. But once I choose to not need >>> the access to email anymore, I just quit Mailplane. The next time I start >>> Mailplane, it'll ask me for my Gmail password - which is what I want, and >>> which has how it's always been since day one. >>> >>> >>> >>>> >>>> When Online: >>>> If you start Mailplane or switch to an account, Gmail will use the >>>> cookie for the account in question. It takes about 10 days to get the >>>> authentication window again. >>>> >>>> When Offline: >>>> >>>> Gmail directly opens the offline store, neither a password, nor a cookie >>>> is required to access it! See these "Offline Gmail" threads for more >>>> information: >>>> >>>> >>>> http://groups.google.com/group/gmail-labs-help-offline/browse_thread/thread/231787671b5c72d7# >>>> >>>> >>>> http://groups.google.com/group/gmail-labs-help-offline/browse_thread/thread/0d8c442af1147b97# >>>> >>>> >>>> Mailplane 2.0.1 always authenticates your account before granting >>>> access, even if you had a valid cookie. Because of the new offline support >>>> this made no sense anymore, as it can only authenticate when online. This >>>> is >>>> why I removed it from 2.1-beta. >>>> >>> >>> This is the part I can't seem to get my head around. But anyway, please >>> fill me in where I may not be understanding you... >>> >>> My dilemma, or rather my question, is this: Why have my other Gmail >>> accounts, with no offline access activated, become openly accessible each >>> time I open Mailplane? >>> >>> I have seven different Gmail accounts, three of which I frequently >>> access, and one of these with the offline access enabled. >>> >>> As per your explanation, I can fully understand why my offline-enabled >>> account no longer requires me to enter a password to access. >>> >>> But for the other two Gmail accounts, it makes no sense whatsoever as to >>> why they are accessible without the usual password authentication anymore - >>> since each account should be mutually exclusive of one another. >>> >>> For example: Each time I start Mailplane, it would open up the >>> offline-enabled Gmail account. When I want to switch to another account, I >>> would usually expect the pop-up dialog and ask me for the respective >>> password (since it's the first time I'm accessing the account for this >>> Mailplane session). But with the latest Beta, it no longer does this and, >>> instead, goes to my account's inbox right away. >>> >>> Hope you understand where I am coming from, and what I'm trying to >>> describe here. >>> >>> >>> Cheers, >>> Kinny >>> >>> >>> >>> >>>> A stronger security measures for offline data needs to be implemented by >>>> Google. Even if Mailplane would ask you for Username/Password and would not >>>> store any cookies you could still access your offline data by using Safari >>>> or any other WebKit browser. >>>> >>>> >>>> For me, no other measures are needed. I have other personal data stored >>>> in my Mac's account. No other user is using my Mac, and I have password >>>> protected my account. >>>> >>>> Maybe you could share some details about your requirements. Do you have >>>> some accounts that you use online only and are more sensitive than other >>>> you >>>> use offline? >>>> >>>> >>>> >>>> -- >>>> Ruben >>>> http://mailplaneapp.com/blog >>>> http://www.twitter.com/Mailplane >>>> >>>> >>>> >>> >>> >>> >> >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "mailplaneapp" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/mailplaneapp?hl=en -~----------~----~----~----~------~----~------~--~---
