Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[David Green]

On 31 May 2019, at 6:16, Benny Kjær Nielsen wrote:

I've finally passed the verification process for the Google OAuth 
API. 


Do you know how this verification relates to Google Advanced Protection 
Program (https://landing.google.com/advancedprotection/)?


I am assuming MailMate won’t work with it but I thought I would check.

Thanks,

Dave
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Annamarie Pluhar]

Ugh. It’s not working for me. My gmail spins and spins and then i get 
unauthorized. But MM is an authorized app. I’ve gone into those settings at 
google. I could reinstall the account? I have many smart mailboxes.  Ugh. 

Thoughts ? 

Annamarie

Annamarie Pluhar
@sharinghousing

Author: Sharing Housing, A Guidebook for Finding and Keeping Good Housemates.
Find out more: http://www.sharinghousing.com
Please forgive brevity and typos. Typing with thumb!! 

> On May 31, 2019, at 2:11 PM, Patrik Fältström via mailmate 
>  wrote:
> 
> Excellent news! Thanks!
> 
>   Patrik
> 
>> On 31 May 2019, at 12:16, Benny Kjær Nielsen wrote:
>> 
>> Hi MailMate users,
>> 
>> a couple of updates on the subjects I wrote about a month ago.
>> 
>> First some very good news: I've finally passed the verification process for 
>> the Google OAuth API. It has been a bit frustrating and involved weird steps 
>> including making a YouTube video essentially showing that MailMate is an 
>> email client. In the end I was again asked to go through the security audit, 
>> but after yet another appeal it was revealed that this was a mistake. This 
>> means that MailMate will continue to support Gmail -- also after January 
>> 2019. Well, at least until the next time Google decides to threaten to pull 
>> the OAuth plug.
>> 
>> My work on WKWebView (the new message view) continues. It's still not ready 
>> for testing (because of a lack of essential features like image blocking and 
>> signing/encryption results), but I've added important major features like 
>> the “Find” interface to do text searches. A new feature is that this now 
>> also works for the headers. Scrolling behavior has been tricky to implement, 
>> but this is almost complete. Next up are changes needed for how HTML is 
>> created for the message view. The new message view allows multiple HTML 
>> segments to be created and displayed in separate HTML views. This is both 
>> more flexible and more robust with respect to security when dealing with 
>> signed/encrypted content and/or when displaying complex and/or multiple 
>> messages.
>> 
>> (And the bad news: When I work on major features I tend to fall behind on 
>> answering emails and updating support tickets.)
>> 
>> -- 
>> Benny
>> https://freron.com/become_a_mailmate_patron/
>> 
>>> On 30 Apr 2019, at 16:56, Benny Kjær Nielsen wrote:
>>> 
>>> Hi MailMate users,
>>> 
>>> I know I'm behind on answering emails (also on the mailing list), but it 
>>> doesn't mean I'm not working :)
>>> 
>>> ## WKWebView
>>> 
>>> Right now I'd just like to note that I'm busy working on replacing the main 
>>> message view in MailMate. It currently uses the so-called WebView class 
>>> provided by Apple, but this was deprecated a long time ago (by Apple) and 
>>> it should be replaced by a so-called WKWebView. Both classes are used to 
>>> display HTML (which MailMate also generates to display plain text messages) 
>>> and if that is all that is needed then it's a simple replacement. But 
>>> MailMate also has image blocking, context sensitive menus, text search, 
>>> etc. and all of this has to work in a completely different way. In some 
>>> cases, it's not even clear that I can provide the same features as before. 
>>> We'll see about that. WKWebView is 10.10+, but right now it looks like 
>>> image blocking can only work on 10.13+. I'm not quite sure what to do about 
>>> that yet...
>>> 
>>> The latest test release includes the new message view, but it's disabled 
>>> for now because too many things don't work yet. I'm mainly writing about 
>>> this since some changes might also affect the old message view in the 
>>> latest test release.
>>> 
>>> The good news is that when the replacement is finished then I should, at 
>>> least in theory, be able to fix various old issues.
>>> 
>>> ## Google OAuth API Application Verification
>>> 
>>> MailMate uses the so-called OAuth2 authentication method for Gmail 
>>> IMAP/SMTP access. This works far better than password-based access which I 
>>> suspect is eventually going to be dropped completely by Google. I had (and 
>>> still have) some reservations about OAuth2 support which I outlined in 
>>> [this blog 
>>> post](https://blog.freron.com/2015/is-oauth2-support-a-good-thing/). I 
>>> expressed that I worried that Google would some day use OAuth2 to “hit the 
>>> kill switch” on MailMate...
>>> 
>>> ...and recently I was told by Google that I needed to start a verification 
>>> process for MailMate. I've done that and if I understand correctly I have 
>>> until the end of 2019 to complete this process.
>>> 
>>> Now, the problem is that I'm not really sure I can (or is willing to) 
>>> complete the verification process at all. It *might* include a security 
>>> audit with a price tag between $15000 and $75000+ (I'm clearly in the wrong 
>>> business). There seems to be exemptions for desktop email applications and 
>>> I've asked Google to clarify this, but I also feel that I'm obligated 

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Patrik Fältström via mailmate]

Excellent news! Thanks!

   Patrik

On 31 May 2019, at 12:16, Benny Kjær Nielsen wrote:

> Hi MailMate users,
>
> a couple of updates on the subjects I wrote about a month ago.
>
> First some very good news: I've finally passed the verification process for 
> the Google OAuth API. It has been a bit frustrating and involved weird steps 
> including making a YouTube video essentially showing that MailMate is an 
> email client. In the end I was again asked to go through the security audit, 
> but after yet another appeal it was revealed that this was a mistake. This 
> means that MailMate will continue to support Gmail -- also after January 
> 2019. Well, at least until the next time Google decides to threaten to pull 
> the OAuth plug.
>
> My work on WKWebView (the new message view) continues. It's still not ready 
> for testing (because of a lack of essential features like image blocking and 
> signing/encryption results), but I've added important major features like the 
> “Find” interface to do text searches. A new feature is that this now also 
> works for the headers. Scrolling behavior has been tricky to implement, but 
> this is almost complete. Next up are changes needed for how HTML is created 
> for the message view. The new message view allows multiple HTML segments to 
> be created and displayed in separate HTML views. This is both more flexible 
> and more robust with respect to security when dealing with signed/encrypted 
> content and/or when displaying complex and/or multiple messages.
>
> (And the bad news: When I work on major features I tend to fall behind on 
> answering emails and updating support tickets.)
>
> -- 
> Benny
> https://freron.com/become_a_mailmate_patron/
>
> On 30 Apr 2019, at 16:56, Benny Kjær Nielsen wrote:
>
>> Hi MailMate users,
>>
>> I know I'm behind on answering emails (also on the mailing list), but it 
>> doesn't mean I'm not working :)
>>
>> ## WKWebView
>>
>> Right now I'd just like to note that I'm busy working on replacing the main 
>> message view in MailMate. It currently uses the so-called WebView class 
>> provided by Apple, but this was deprecated a long time ago (by Apple) and it 
>> should be replaced by a so-called WKWebView. Both classes are used to 
>> display HTML (which MailMate also generates to display plain text messages) 
>> and if that is all that is needed then it's a simple replacement. But 
>> MailMate also has image blocking, context sensitive menus, text search, etc. 
>> and all of this has to work in a completely different way. In some cases, 
>> it's not even clear that I can provide the same features as before. We'll 
>> see about that. WKWebView is 10.10+, but right now it looks like image 
>> blocking can only work on 10.13+. I'm not quite sure what to do about that 
>> yet...
>>
>> The latest test release includes the new message view, but it's disabled for 
>> now because too many things don't work yet. I'm mainly writing about this 
>> since some changes might also affect the old message view in the latest test 
>> release.
>>
>> The good news is that when the replacement is finished then I should, at 
>> least in theory, be able to fix various old issues.
>>
>> ## Google OAuth API Application Verification
>>
>> MailMate uses the so-called OAuth2 authentication method for Gmail IMAP/SMTP 
>> access. This works far better than password-based access which I suspect is 
>> eventually going to be dropped completely by Google. I had (and still have) 
>> some reservations about OAuth2 support which I outlined in [this blog 
>> post](https://blog.freron.com/2015/is-oauth2-support-a-good-thing/). I 
>> expressed that I worried that Google would some day use OAuth2 to “hit the 
>> kill switch” on MailMate...
>>
>> ...and recently I was told by Google that I needed to start a verification 
>> process for MailMate. I've done that and if I understand correctly I have 
>> until the end of 2019 to complete this process.
>>
>> Now, the problem is that I'm not really sure I can (or is willing to) 
>> complete the verification process at all. It *might* include a security 
>> audit with a price tag between $15000 and $75000+ (I'm clearly in the wrong 
>> business). There seems to be exemptions for desktop email applications and 
>> I've asked Google to clarify this, but I also feel that I'm obligated to 
>> tell my users that I think it's a potential risk that MailMate cannot 
>> support Gmail starting January 1st, 2020. As soon as I fully understand 
>> what's going to happen, I'll make sure to clearly state it wherever it's 
>> relevant on the homepage and in the documentation.
>>
>> Here's a [link to the Google 
>> FAQ](https://support.google.com/cloud/answer/9110914) on the subject if 
>> anyone is interested.
>
> ___
> mailmate mailing list
> mailmate@lists.freron.com
> https://lists.freron.com/listinfo/mailmate


signature.asc
Description: OpenPGP digital signature

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Benny Kjær Nielsen]

Hi MailMate users,

a couple of updates on the subjects I wrote about a month ago.

First some very good news: I've finally passed the verification process 
for the Google OAuth API. It has been a bit frustrating and involved 
weird steps including making a YouTube video essentially showing that 
MailMate is an email client. In the end I was again asked to go through 
the security audit, but after yet another appeal it was revealed that 
this was a mistake. This means that MailMate will continue to support 
Gmail -- also after January 2019. Well, at least until the next time 
Google decides to threaten to pull the OAuth plug.


My work on WKWebView (the new message view) continues. It's still not 
ready for testing (because of a lack of essential features like image 
blocking and signing/encryption results), but I've added important major 
features like the “Find” interface to do text searches. A new 
feature is that this now also works for the headers. Scrolling behavior 
has been tricky to implement, but this is almost complete. Next up are 
changes needed for how HTML is created for the message view. The new 
message view allows multiple HTML segments to be created and displayed 
in separate HTML views. This is both more flexible and more robust with 
respect to security when dealing with signed/encrypted content and/or 
when displaying complex and/or multiple messages.


(And the bad news: When I work on major features I tend to fall behind 
on answering emails and updating support tickets.)


--
Benny
https://freron.com/become_a_mailmate_patron/

On 30 Apr 2019, at 16:56, Benny Kjær Nielsen wrote:


Hi MailMate users,

I know I'm behind on answering emails (also on the mailing list), but 
it doesn't mean I'm not working :)


## WKWebView

Right now I'd just like to note that I'm busy working on replacing the 
main message view in MailMate. It currently uses the so-called WebView 
class provided by Apple, but this was deprecated a long time ago (by 
Apple) and it should be replaced by a so-called WKWebView. Both 
classes are used to display HTML (which MailMate also generates to 
display plain text messages) and if that is all that is needed then 
it's a simple replacement. But MailMate also has image blocking, 
context sensitive menus, text search, etc. and all of this has to work 
in a completely different way. In some cases, it's not even clear that 
I can provide the same features as before. We'll see about that. 
WKWebView is 10.10+, but right now it looks like image blocking can 
only work on 10.13+. I'm not quite sure what to do about that yet...


The latest test release includes the new message view, but it's 
disabled for now because too many things don't work yet. I'm mainly 
writing about this since some changes might also affect the old 
message view in the latest test release.


The good news is that when the replacement is finished then I should, 
at least in theory, be able to fix various old issues.


## Google OAuth API Application Verification

MailMate uses the so-called OAuth2 authentication method for Gmail 
IMAP/SMTP access. This works far better than password-based access 
which I suspect is eventually going to be dropped completely by 
Google. I had (and still have) some reservations about OAuth2 support 
which I outlined in [this blog 
post](https://blog.freron.com/2015/is-oauth2-support-a-good-thing/). I 
expressed that I worried that Google would some day use OAuth2 to 
“hit the kill switch” on MailMate...


...and recently I was told by Google that I needed to start a 
verification process for MailMate. I've done that and if I understand 
correctly I have until the end of 2019 to complete this process.


Now, the problem is that I'm not really sure I can (or is willing to) 
complete the verification process at all. It *might* include a 
security audit with a price tag between $15000 and $75000+ (I'm 
clearly in the wrong business). There seems to be exemptions for 
desktop email applications and I've asked Google to clarify this, but 
I also feel that I'm obligated to tell my users that I think it's a 
potential risk that MailMate cannot support Gmail starting January 
1st, 2020. As soon as I fully understand what's going to happen, I'll 
make sure to clearly state it wherever it's relevant on the homepage 
and in the documentation.


Here's a [link to the Google 
FAQ](https://support.google.com/cloud/answer/9110914) on the subject 
if anyone is interested.


___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Verdon Vaillancourt]

Our university IT actually stopped support the use of desktop email 
clients a while ago, with the only “official” way to access email 
being the Gmail in a browser.


That's shockingly bad for any organization, but especially a 
university, in my view.




Sadly not uncommon.
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Randall Gellens]

Our university IT actually stopped support the use of desktop email 
clients a while ago, with the only “official” way to access email 
being the Gmail in a browser.


That's shockingly bad for any organization, but especially a university, 
in my view.


--Randall
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Dave C]

“Unofficially” (c; you can have your Gmail mail forwarded to any other account 
which you can then access with any mail client.

Dave


>> It's worse than that—many organizations have outsourced their email to 
>> Google. My
>> university does, though I still run my own mail server…


> It is the same situation here.  Although I likely used a @vt.edu account when 
> registering Mailmate, our university also unfortunately outsources its email 
> to Google.  Our university IT actually stopped support the use of desktop 
> email clients a while ago, with the only “official” way to access email being 
> the Gmail in a browser.
> 
> Michael Dunston
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Michael Dunston]

On 30 Apr 2019, at 12:43, Steven M. Bellovin wrote:

It's worse than that—many organizations have outsourced their email 
to Google. My

university does, though I still run my own mail server…


It is the same situation here.  Although I likely used a @vt.edu account 
when registering Mailmate, our university also unfortunately outsources 
its email to Google.  Our university IT actually stopped support the use 
of desktop email clients a while ago, with the only “official” way 
to access email being the Gmail in a browser.


--
-- Michael Dunston
-- Recording and Production
-- School of Performing Arts Music | Theatre | Cinema
-- (540) 231-9942 
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Benny Kjær Nielsen]

On 2 May 2019, at 20:48, Dave C wrote:

But what about those legitimate mails in which we want to see the 
images?


That's not a problem. Replacing image URLs would only happen when image 
blocking is enabled. This step would simply be skipped if not blocking 
images.


--
Benny
https://freron.com/become_a_mailmate_patron/
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Benny Kjær Nielsen]

On 2 May 2019, at 19:06, Michael Nietzold wrote:

Maybe you can strip out the images links via text/replace before you 
put the HTML into the WKWebView?


Security-wise, this can only by done if the WKWebView is used to parse 
the text itself (otherwise a difference between the WKWebView parser and 
whatever other parser I use would be an attack vector for getting around 
the URL stripper/replacement). Technically, I think this is possible, 
but I can also think of some potential caveats...


--
Benny
https://freron.com/become_a_mailmate_patron/
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Randall Gellens]

On 2 May 2019, at 6:01, Steven M. Bellovin wrote:

Being able to block images by default is an absolute requirement for 
me and I suspect for others.
It's not just a huge privacy issue, it's an important part of 
anti-spam defenses: spammers (and other
marketers) monitor remote image loading to see if the message was 
read.


Now, if it's only for older releases of MacOS I don't care, since all 
of my systems run 10.14 Mojave.
But there are other people who share my concerns who do run older 
releases, often because their

hardware is too old for Mojave.


It sounds to me that it is possible that current releases of MailMate 
would only support image blocking on High Sierra (10.13) or above, which 
should be a smaller set than if it was Mojave (10.14) and above.  For 
anyone on Sierra (10.12) or older, they could stick with an older 
version of MailMate and retain image blocking.


I kept my laptop on 10.6.8 for many years specifically so I could keep 
using Mac Eudora.


--Randall
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Dave C]

But what about those legitimate mails in which we want to see the images?

Dave

> On May 2, 2019, at 10:06 AM, Michael Nietzold  
> wrote:
> 
> Maybe you can strip out the images links via text/replace before you put the 
> HTML into the WKWebView?
> 
> Von meinem iDingens gesendet...
> 
>> Am 02.05.2019 um 15:23 schrieb Benny Kjær Nielsen :
>> 
>> On 2 May 2019, at 15:01, Steven M. Bellovin wrote:
>> 
>> On 2 May 2019, at 5:19, Benny Kjær Nielsen wrote:
>> 
>> I don't like the idea of disabling image blocking, but the changes needed 
>> for WKWebView might be too much of a hassle to keep the WebView solution for 
>> earlier macOS releases. In that case, disabling image blocking for earlier 
>> releases might be a solution. Alternatively, I can possibly still block 
>> things using different methods.
>> 
>> Being able to block images by default is an absolute requirement for me and 
>> I suspect for others.
>> 
>> Of course. My answer was in response to the fact that I might have to 
>> require 10.13+ to support image blocking using WKWebView. WKWebView works 
>> with older macOS releases, but this is without an API to do image blocking. 
>> That leaves me with various options:
>> 
>> Make MailMate macOS 10.13+ only.
>> Find a different way to do image blocking on older macOS releases while 
>> still using WKWebView. This means MailMate becomes 10.10+ only.
>> Maintain the old message view solution for older macOS versions.
>> Not do image blocking on older macOS versions.
>> I would prefer the second solution.
>> 
>> But there are other people who share my concerns who do run older releases, 
>> often because their hardware is too old for Mojave.
>> 
>> Yes, but in any case, they also have the option of running an older version 
>> of MailMate. They won't get updates to MailMate, but they are also not 
>> getting updates to macOS.
>> 
>> But let's see what happens. I still have many unresolved issues with 
>> WKWebView. Maybe I cannot make it work at all :)
>> 
>> -- 
>> Benny
>> https://freron.com/become_a_mailmate_patron/
>> 
>> ___
>> mailmate mailing list
>> mailmate@lists.freron.com
>> https://lists.freron.com/listinfo/mailmate
> ___
> mailmate mailing list
> mailmate@lists.freron.com
> https://lists.freron.com/listinfo/mailmate
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Michael Nietzold]

Maybe you can strip out the images links via text/replace before you put the 
HTML into the WKWebView?

Von meinem iDingens gesendet...

> Am 02.05.2019 um 15:23 schrieb Benny Kjær Nielsen :
> 
> On 2 May 2019, at 15:01, Steven M. Bellovin wrote:
> 
> On 2 May 2019, at 5:19, Benny Kjær Nielsen wrote:
> 
> I don't like the idea of disabling image blocking, but the changes needed for 
> WKWebView might be too much of a hassle to keep the WebView solution for 
> earlier macOS releases. In that case, disabling image blocking for earlier 
> releases might be a solution. Alternatively, I can possibly still block 
> things using different methods.
> 
> Being able to block images by default is an absolute requirement for me and I 
> suspect for others.
> 
> Of course. My answer was in response to the fact that I might have to require 
> 10.13+ to support image blocking using WKWebView. WKWebView works with older 
> macOS releases, but this is without an API to do image blocking. That leaves 
> me with various options:
> 
> Make MailMate macOS 10.13+ only.
> Find a different way to do image blocking on older macOS releases while still 
> using WKWebView. This means MailMate becomes 10.10+ only.
> Maintain the old message view solution for older macOS versions.
> Not do image blocking on older macOS versions.
> I would prefer the second solution.
> 
> But there are other people who share my concerns who do run older releases, 
> often because their hardware is too old for Mojave.
> 
> Yes, but in any case, they also have the option of running an older version 
> of MailMate. They won't get updates to MailMate, but they are also not 
> getting updates to macOS.
> 
> But let's see what happens. I still have many unresolved issues with 
> WKWebView. Maybe I cannot make it work at all :)
> 
> -- 
> Benny
> https://freron.com/become_a_mailmate_patron/
> 
> ___
> mailmate mailing list
> mailmate@lists.freron.com
> https://lists.freron.com/listinfo/mailmate
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Sam Hathaway]

On 2 May 2019, at 9:23, Benny Kjær Nielsen wrote:


* Not do image blocking on older macOS versions.


If you decide to go this route, folks on earlier macOS versions could 
use something like [Little 
Snitch](https://www.obdev.at/products/littlesnitch/) to prevent emails 
“phoning home”.


Hope this helps.
-sam
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Benny Kjær Nielsen]

On 2 May 2019, at 15:01, Steven M. Bellovin wrote:


On 2 May 2019, at 5:19, Benny Kjær Nielsen wrote:

I don't like the idea of disabling image blocking, but the changes 
needed for WKWebView might be too much of a hassle to keep the 
WebView solution for earlier macOS releases. In that case, disabling 
image blocking for earlier releases might be a solution. 
Alternatively, I can possibly still block things using different 
methods.


Being able to block images by default is an absolute requirement for 
me and I suspect for others.


Of course. My answer was in response to the fact that I might have to 
require 10.13+ to support image blocking using WKWebView. WKWebView 
works with older macOS releases, but this is without an API to do image 
blocking. That leaves me with various options:


* Make MailMate macOS 10.13+ only.
* Find a different way to do image blocking on older macOS releases 
while still using WKWebView. This means MailMate becomes 10.10+ only.

* Maintain the old message view solution for older macOS versions.
* Not do image blocking on older macOS versions.

I would prefer the second solution.

But there are other people who share my concerns who do run older 
releases, often because their hardware is too old for Mojave.


Yes, but in any case, they also have the option of running an older 
version of MailMate. They won't get updates to MailMate, but they are 
also not getting updates to macOS.


But let's see what happens. I still have many unresolved issues with 
WKWebView. Maybe I cannot make it work at all :)


--
Benny
https://freron.com/become_a_mailmate_patron/
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Steven M. Bellovin]

On 2 May 2019, at 5:19, Benny Kjær Nielsen wrote:


On 30 Apr 2019, at 18:24, Dave C wrote:

Re WKWebView, can the new features be selectively enabled? For 
example, I am locked (because some apps are locked to it) to MacOS 
10.12 right now. Can image blocking be not enabled and MM still use 
WK except for that feature such that it will work in 19.12?


I don't like the idea of disabling image blocking, but the changes 
needed for WKWebView might be too much of a hassle to keep the WebView 
solution for earlier macOS releases. In that case, disabling image 
blocking for earlier releases might be a solution. Alternatively, I 
can possibly still block things using different methods.


Being able to block images by default is an absolute requirement for me 
and I suspect for others.
It's not just a huge privacy issue, it's an important part of anti-spam 
defenses: spammers (and other

marketers) monitor remote image loading to see if the message was read.

Now, if it's only for older releases of MacOS I don't care, since all of 
my systems run 10.14 Mojave.
But there are other people who share my concerns who do run older 
releases, often because their

hardware is too old for Mojave.


--Steve Bellovin, https://www.cs.columbia.edu/~smb

___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Benny Kjær Nielsen]

On 1 May 2019, at 0:42, Annamarie Pluhar wrote:

As a non-geek (and a grateful MM user!) what I think I’m 
understanding is that google might require some type of pricey audit 
that Benny can’t afford out of his own pocket. Is that right?


Well, this is still not quite clear to me. I'm mainly writing about it 
on the mailing list as a very early warning of a possible future problem 
if I cannot complete the verification process. It might be premature and 
there might not be a problem at all, but I have to somehow complete the 
verification process.


If that’s true perhaps all of us users could contribute to a 
crowd-sourced fund to pay for same. ??


It's possible that MailMate cannot survive without Gmail-users, but 
crowd funding an audit is not the solution. The higher end of an audit 
($75000) is far more than I currently make in a year and I assume 
security audits would be needed again for future releases of MailMate. 
And in theory, other companies might follow the example of Google and 
then an audit might be needed for Apple, Microsoft, Yahoo, etc. 
(Currently, OAuth2 is only used for Outlook and Gmail.)


For now, I'm assuming the problem will go away when I figure out how to 
complete the verification process without an audit.


Before we jump to that - does someone understand why Google might want 
this audit? I don’t know how many users there are but perhaps google 
could not require the audit? What does it do?


I think it's all about protecting user data. A security assessment would 
likely focus on any data stored/cached on remote servers. MailMate is a 
Desktop email application which only uses a local cache, but one could 
argue that moving emails to a different account (or even forwarding 
emails) gives MailMate “the ability to send Google user data from a 
Restricted Scope to remote servers” and then MailMate is a candidate 
for a “security assessment”. But I *think* this only makes sense if 
MailMate (Freron Software) stored anything on its own servers which I 
naturally do not do.


Part of the problem is perhaps that the OAuth authentication flow is 
“too easy”, that is, evil (web)apps can easily ask for user 
permission to, e.g, access emails and if the user clicks Ok then that 
application can “quietly” fetch everything. Given that the user 
explicitly fetches MailMate to handle email then that doesn't really 
apply in my case.


I don't really think that MailMate is the target of what Google is 
trying to stop, but that doesn't solve the problem of me being stuck in 
the verification process.


The best protection provided is that Apple ensures that only releases 
created by me (with my secret developer certificate) will run on macOS 
without warnings. Something similar does not exist for OAuth. Anyone can 
create an application with a different developer certificate and then 
(mis-)use my verified Google OAuth registration -- including if I had to 
go through a security assessment to get it.


I'm just thinking out loud here. Given that MailMate is a single-person 
business, consider the above what I would be discussing with colleagues 
at the coffee machine in the company office :-)


--
Benny
https://freron.com/become_a_mailmate_patron/
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Benny Kjær Nielsen]

On 30 Apr 2019, at 18:24, Dave C wrote:

Re WKWebView, can the new features be selectively enabled? For 
example, I am locked (because some apps are locked to it) to MacOS 
10.12 right now. Can image blocking be not enabled and MM still use WK 
except for that feature such that it will work in 19.12?


I don't like the idea of disabling image blocking, but the changes 
needed for WKWebView might be too much of a hassle to keep the WebView 
solution for earlier macOS releases. In that case, disabling image 
blocking for earlier releases might be a solution. Alternatively, I can 
possibly still block things using different methods.


(But I'm probably not close to completing the WKWebView solution.)

Re Gmail: good! If MM is forced to drop Gmail, I’ll finally drop all 
those horrible “free” accounts.


I'm glad that's an option for you, but note that around 25% of 
registered MailMate users used a Gmail-address when registering. In 
addition to that, many users have secondary email addresses using Gmail 
and/or custom domains with Gmail-accounts. I wouldn't be surprised if 
more than 50% of MailMate users somehow rely on at least 1 Gmail 
address. I have to do whatever I can to continue to support Gmail.


--
Benny
https://freron.com/become_a_mailmate_patron/
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Dave C]

> Before we jump to that - does someone understand why Google might want this 
> audit? I don’t know how many users there are but perhaps google could not 
> require the audit? What does it do?
> 
> My three cents.
> Annamarie

Benefit Google shareholders.

Dave
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Annamarie Pluhar]

Thanks Benny for your message.  It’s yet another reason why I love MM. 
A developer with integrity and transparency!


As a non-geek (and a grateful MM user!) what I think I’m understanding 
is that google might require some type of pricey audit that Benny 
can’t afford out of his own pocket. Is that right?  If that’s true 
perhaps all of us users could contribute to a crowd-sourced fund to pay 
for same. ??


Before we jump to that - does someone understand why Google might want 
this audit? I don’t know how many users there are but perhaps google 
could not require the audit? What does it do?


My three cents.
Annamarie

Annamarie Pluhar
802-451-1941
802-579-5975 (iPhone - not good when I'm at my desk.)

On 30 Apr 2019, at 14:22, Verdon Vaillancourt wrote:

On Apr 30, 2019, at 9:43 AM, Steven M. Bellovin  
wrote:



On 30 Apr 2019, at 12:24, Dave C wrote:

Thanks for the update Benny.

Re WKWebView, can the new features be selectively enabled? For 
example, I am locked (because some apps are locked to it) to MacOS 
10.12 right now. Can image blocking be not enabled and MM still use 
WK except for that feature such that it will work in 19.12?


Re Gmail: good! If MM is forced to drop Gmail, I’ll finally drop 
all those horrible “free” accounts.


It's worse than that—many organizations have outsourced their email 
to Google. My

university does, though I still run my own mail server…

Same for me. Two of the five accounts I have no choice but to use are 
Google apps. It would sadly be the end of the line for me, to be able 
to use MM. Nasty situation. I HATE webmail clients :-(

___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Verdon Vaillancourt]

On Apr 30, 2019, at 9:43 AM, Steven M. Bellovin  wrote:
> 
>> On 30 Apr 2019, at 12:24, Dave C wrote:
>> 
>> Thanks for the update Benny.
>> 
>> Re WKWebView, can the new features be selectively enabled? For example, I am 
>> locked (because some apps are locked to it) to MacOS 10.12 right now. Can 
>> image blocking be not enabled and MM still use WK except for that feature 
>> such that it will work in 19.12?
>> 
>> Re Gmail: good! If MM is forced to drop Gmail, I’ll finally drop all those 
>> horrible “free” accounts.
> 
> It's worse than that—many organizations have outsourced their email to 
> Google. My
> university does, though I still run my own mail server…
> 
Same for me. Two of the five accounts I have no choice but to use are Google 
apps. It would sadly be the end of the line for me, to be able to use MM. Nasty 
situation. I HATE webmail clients :-(
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Steven M. Bellovin]

On 30 Apr 2019, at 12:24, Dave C wrote:


Thanks for the update Benny.

Re WKWebView, can the new features be selectively enabled? For 
example, I am locked (because some apps are locked to it) to MacOS 
10.12 right now. Can image blocking be not enabled and MM still use WK 
except for that feature such that it will work in 19.12?


Re Gmail: good! If MM is forced to drop Gmail, I’ll finally drop all 
those horrible “free” accounts.




It's worse than that—many organizations have outsourced their email to 
Google. My

university does, though I still run my own mail server…

--Steve Bellovin, https://www.cs.columbia.edu/~smb

___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Notes on latest test release and Gmail OAuth application verification

[Dave C]

Thanks for the update Benny.

Re WKWebView, can the new features be selectively enabled? For example, I am 
locked (because some apps are locked to it) to MacOS 10.12 right now. Can image 
blocking be not enabled and MM still use WK except for that feature such that 
it will work in 19.12?

Re Gmail: good! If MM is forced to drop Gmail, I’ll finally drop all those 
horrible “free” accounts. 

Dave


> I know I'm behind on answering emails (also on the mailing list), but it 
> doesn't mean I'm not working :)
> WKWebView
> 
> Right now I'd just like to note that I'm busy working on replacing the main 
> message view in MailMate. It currently uses the so-called WebView class 
> provided by Apple, but this was deprecated a long time ago (by Apple) and it 
> should be replaced by a so-called WKWebView. Both classes are used to display 
> HTML (which MailMate also generates to display plain text messages) and if 
> that is all that is needed then it's a simple replacement. But MailMate also 
> has image blocking, context sensitive menus, text search, etc. and all of 
> this has to work in a completely different way. In some cases, it's not even 
> clear that I can provide the same features as before. We'll see about that. 
> WKWebView is 10.10+, but right now it looks like image blocking can only work 
> on 10.13+. I'm not quite sure what to do about that yet...
> 
> The latest test release includes the new message view, but it's disabled for 
> now because too many things don't work yet. I'm mainly writing about this 
> since some changes might also affect the old message view in the latest test 
> release.
> 
> The good news is that when the replacement is finished then I should, at 
> least in theory, be able to fix various old issues.
> 
> Google OAuth API Application Verification
> 
> MailMate uses the so-called OAuth2 authentication method for Gmail IMAP/SMTP 
> access. This works far better than password-based access which I suspect is 
> eventually going to be dropped completely by Google. I had (and still have) 
> some reservations about OAuth2 support which I outlined in this blog post. I 
> expressed that I worried that Google would some day use OAuth2 to “hit the 
> kill switch” on MailMate...
> 
> ...and recently I was told by Google that I needed to start a verification 
> process for MailMate. I've done that and if I understand correctly I have 
> until the end of 2019 to complete this process.
> 
> Now, the problem is that I'm not really sure I can (or is willing to) 
> complete the verification process at all. It might include a security audit 
> with a price tag between $15000 and $75000+ (I'm clearly in the wrong 
> business). There seems to be exemptions for desktop email applications and 
> I've asked Google to clarify this, but I also feel that I'm obligated to tell 
> my users that I think it's a potential risk that MailMate cannot support 
> Gmail starting January 1st, 2020. As soon as I fully understand what's going 
> to happen, I'll make sure to clearly state it wherever it's relevant on the 
> homepage and in the documentation.
> 
> Here's a link to the Google FAQ on the subject if anyone is interested.
> 
> -- 
> Benny
> https://freron.com/become_a_mailmate_patron/
> 
> ___
> mailmate mailing list
> mailmate@lists.freron.com
> https://lists.freron.com/listinfo/mailmate
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate