Google and OAuth 2.0

Ben Bucksch ben.bucksch at beonex.com
Fri Apr 25 23:27:58 UTC 2014


Gervase Markham wrote, On 25.04.2014 17:52:
> http://googleonlinesecurity.blogspot.co.uk/2014/04/new-security-measures-will-affect-older.html
>
> Is this relevant to Thunderbird accessing Gmail?

I think we should actively oppose this, because this is the start of the 
end of pure email protocols.

There are big ramifications here. For me, one of the primary purposes of 
Thunderbird is to keep email an open and viable communication method, 
and to preserve open standards that can be implemented by anyone. In 
other words, one of the purposes of Thunderbird is to allow for other 
clients as well, on all kinds of platforms, for all kinds of usecases, 
not all of which are interactive (see e.g. Android app "SMS Backup+"). 
By supporting OAuth in Thunderbird, we make it more likely that Google 
will make such obnoxious auth methods mandatory at some point in the 
future. While it may be possible for Thunderbird to open a web browser 
window, it is not possible for other clients. Any email client would 
have to have a web browser, which I personally find ridiculous and 
dangerous. More generally, right now, ISPs are limited to what the IMAP 
standard allows, and to the specific purpose of email. If we open a 
browser window and make auth dependent on that, it means that we hand 
control entirely over to Google. Google can do in that window whatever 
they want, and make completely arbitrary demands on IMAP users. 
Currently, IMAP sets the rules. This would be over. So, I consider this 
to be a very dangerous move for the freedom of email.

We cannot let a single provider do whatever they want. Even more so when 
that single provider has 20% of the user base. Then it's all the more 
dangerous, because there's nobody to keep them in check.

Although many people think that, I do not think that Internet == Web. 
Email is a service of the Internet that is entirely separate from the 
Web. If we allow IMAP login to depend on a HTML webpage and/or HTTP, we 
have not only introduced a huge, and security-wise dangerous dependency, 
but also removed the ability for automation. We then require a human to 
log in.

Email != Web. We cannot allow email to depend on the web, or proprietary 
auth mechanisms. Playing along here will be highly damaging to email and 
the Internet. We need to insist on the email standards. This is 
Thunderbird's mission.

http://en.wikipedia.org/wiki/Embrace,_extend_and_extinguish
Quote: ' "Embrace, extend, and extinguish" is a phrase that the U.S. 
Department of Justice found was used internally by Microsoft to describe 
its strategy for entering product categories involving widely used 
standards, extending those standards with proprietary capabilities, and 
then using those differences to disadvantage its competitors.'

That's precisely what's happening here. Google's strategy is to bring 
everything to the web, and everything on their services and servers. 
Including email.

They are
1. "entering product categories involving widely used standards" -- 
email, using gmail
2. "extending those standards with proprietary capabilities" -- OAuth 
for IMAP, this is happening right now
3. "using those differences to disadvantage its competitors" -- because 
soon you won't be able to use an email client without a web browser, 
which is a huge disadvantage for most situations where IMAP/SMTP is 
used. So why not use GMail web frontend straight? Email dead.

I don't care what rationale they use. Steps 2 and 3 are dangerous.

What are all the other non-interactive email clients going to do?

(FWIW, I don't buy that "security" argument either way. Forcing me to 
enter a working phone number - *any* (!) number, BTW -, just to access 
my own account, doesn't count as "security" for me, but as privacy 
violation.)

Google knows they can't just cut off Thunderbird. The blog post didn't 
say they will, it's vaguely phrased. This is power play, and they are 
testing waters. But if they go ahead with this and require OAuth or 
otherwise make using Thunderbird hard, we need to jump up and down in 
the press and cry "foul". I'm not giving in.

We've seen all this with Microsoft. We've seen where this led us. Let's 
not repeat mistakes of the past. Keep the big picture in mind. Our 
opponents surely do.

I think it's very important for the future of the Internet that we 
oppose such attempts "Embrace, extend, and extinguish". No matter from 
which angle or with which rationales they come.



More information about the tb-planning mailing list