Google and OAuth 2.0

Ben Bucksch ben.bucksch at beonex.com
Mon Apr 28 15:16:03 UTC 2014


Gervase Markham wrote, On 28.04.2014 16:58:
> But the sort of questions I would want to find answers to are:
>
> * What does Google hope to gain by making this change? Is it an
> anti-spam/anti-fraud measure?
1. They block login attempts from a new country. Presumably that's 
anti-account-theft.

2. When that triggers, they demand a working phone number, where they 
send an activation code. Strangely, that can be any phone number. They 
pretend that's for "security", but the "nice" side effect for them is 
that using a phone number, they can link the account to a real life 
identity. Given that they also link the account to all searches I make 
on Google, that's a privacy invasion for me. But for Google, that means $$.

3. Long-term, their goal is to move everything (Internet and offline) to 
the web, and to their servers. They want to kill MS Office, email, phone 
etc., moving it to gmail, google cloud etc. They are not doing all this 
for fun, after all.

> * Can the additional data about logins that Google hopes to obtain be
> obtained in other ways for IMAP?

You can't ask for a phone number via IMAP. But I reject that premise and 
interest.

If a suspicious login attempt shows up via IMAP or SMTP, they can return 
an error (in IMAP/SMTP) *with* an error message that mentions reason and 
remedy, e.g.
"You are logging in from a new country. Please log in via 
https://www.gmail.com first and approve this connection."
This is (more or less) how some German freemail ISPs do it.
This is a manual hand-over, but a) would happen only in really 
problematic cases b) give them the same possibilities as now.

> * Why can't single-service passwords continue to be used instead?

Good question. I see no problem with them.

> * Do they understand the ramifications of the idea that clients of all
> these protocols will need to contain a browser?

Google is a lot of things, but not stupid. I think they are not only 
aware, but want to force that. They want to force everything to their 
website, so they want all devices to have a webbrowser.

> * Are there any ramifications on open source software in particular?

OAuth contains a "client secret", I hear. That's inherently incompatible 
with client software, and open source all the more. OAuth is designed 
for websites, where the server can easily keep secrets.

> * Who are the other desktop email software providers, and what are their
> opinions?

I wouldn't know what their opinions are.



More information about the tb-planning mailing list