Public bug reported:
Binary package hint: gm-notify
It would be more secure if gm-notify didn't actually ask for the user's
password, but instead authenticated with a Gmail API key thing. (I'm
sorry if you can't understand me, I'm not a technical person.) You may
have seem Flickr do this with its client applications, for example.
This would have the following advantages:
1. The permission granted to each copy of gm-notify would be easily
revocable.
2. It would mean the password can't be directly stolen.
3. If the key was stolen or misused, it could only access a limited amount
of the data associated with you Google Account. E.g. just headers of received
emails.
4. Should there be a security hole in this program allowing attackers to
steal login info, it would be easier for Google to pinpoint that it was this
application that had the security hole.
5. It might be slicker and more convenient to the user.
(Alternatively, the application should be tested with Google's two-
factor authentication. Currently, it seems a bit problematic, even when
you use the application-specific password.)
Ubuntu 11.04 Natty.
0.10.3-0ubuntu1 (gm-notify)
Thank-you.
** Affects: gm-notify (Ubuntu)
Importance: Undecided
Status: New
** Tags: api authentication gmail login security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/774498
Title:
Doesn't use secure API service
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
