Google and OAuth 2.0
ben.bucksch at beonex.com
Fri Apr 25 23:27:58 UTC 2014
Gervase Markham wrote, On 25.04.2014 17:52:
> Is this relevant to Thunderbird accessing Gmail?
I think we should actively oppose this, because this is the start of the
end of pure email protocols.
There are big ramifications here. For me, one of the primary purposes of
Thunderbird is to keep email an open and viable communication method,
and to preserve open standards that can be implemented by anyone. In
other words, one of the purposes of Thunderbird is to allow for other
clients as well, on all kinds of platforms, for all kinds of usecases,
not all of which are interactive (see e.g. Android app "SMS Backup+").
By supporting OAuth in Thunderbird, we make it more likely that Google
will make such obnoxious auth methods mandatory at some point in the
future. While it may be possible for Thunderbird to open a web browser
window, it is not possible for other clients. Any email client would
have to have a web browser, which I personally find ridiculous and
dangerous. More generally, right now, ISPs are limited to what the IMAP
standard allows, and to the specific purpose of email. If we open a
browser window and make auth dependent on that, it means that we hand
control entirely over to Google. Google can do in that window whatever
they want, and make completely arbitrary demands on IMAP users.
Currently, IMAP sets the rules. This would be over. So, I consider this
to be a very dangerous move for the freedom of email.
We cannot let a single provider do whatever they want. Even more so when
that single provider has 20% of the user base. Then it's all the more
dangerous, because there's nobody to keep them in check.
Although many people think that, I do not think that Internet == Web.
Email is a service of the Internet that is entirely separate from the
Web. If we allow IMAP login to depend on a HTML webpage and/or HTTP, we
have not only introduced a huge, and security-wise dangerous dependency,
but also removed the ability for automation. We then require a human to
Email != Web. We cannot allow email to depend on the web, or proprietary
auth mechanisms. Playing along here will be highly damaging to email and
the Internet. We need to insist on the email standards. This is
Quote: ' "Embrace, extend, and extinguish" is a phrase that the U.S.
Department of Justice found was used internally by Microsoft to describe
its strategy for entering product categories involving widely used
standards, extending those standards with proprietary capabilities, and
then using those differences to disadvantage its competitors.'
That's precisely what's happening here. Google's strategy is to bring
everything to the web, and everything on their services and servers.
1. "entering product categories involving widely used standards" --
email, using gmail
2. "extending those standards with proprietary capabilities" -- OAuth
for IMAP, this is happening right now
3. "using those differences to disadvantage its competitors" -- because
soon you won't be able to use an email client without a web browser,
which is a huge disadvantage for most situations where IMAP/SMTP is
used. So why not use GMail web frontend straight? Email dead.
I don't care what rationale they use. Steps 2 and 3 are dangerous.
What are all the other non-interactive email clients going to do?
(FWIW, I don't buy that "security" argument either way. Forcing me to
enter a working phone number - *any* (!) number, BTW -, just to access
my own account, doesn't count as "security" for me, but as privacy
Google knows they can't just cut off Thunderbird. The blog post didn't
say they will, it's vaguely phrased. This is power play, and they are
testing waters. But if they go ahead with this and require OAuth or
otherwise make using Thunderbird hard, we need to jump up and down in
the press and cry "foul". I'm not giving in.
We've seen all this with Microsoft. We've seen where this led us. Let's
not repeat mistakes of the past. Keep the big picture in mind. Our
opponents surely do.
I think it's very important for the future of the Internet that we
oppose such attempts "Embrace, extend, and extinguish". No matter from
which angle or with which rationales they come.
More information about the tb-planning