Google and OAuth 2.0

Onno Ekker o.e.ekker at gmail.com
Fri May 2 14:19:50 UTC 2014


http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/


On Wed, Apr 30, 2014 at 8:47 PM, Joshua Cranmer 🐧 <Pidgeot18 at gmail.com>wrote:

> On 4/25/2014 10:52 AM, Gervase Markham wrote:
>
>> http://googleonlinesecurity.blogspot.co.uk/2014/04/new-
>> security-measures-will-affect-older.html
>>
>> Is this relevant to Thunderbird accessing Gmail?
>>
>
> This was brought up in the status meeting, and we resolved to reach out to
> Gmail to clarify some questions. Here's the status of as right now:
> 1. The clarification from GMail IMAP folks is:
>
>> The bottom line is that GMail would really like Thunderbird to use OAuth2
>> for imap/smtp/pop access. If it doesn't, there's an increased possibility
>> that GMail will suspect the login attempt is unauthorized. If you keep
>> using the same IP address, or have two factor auth turned on, you'll most
>> likely be OK. Otherwise, the users run the risk of having to jump through
>> some hoops to get imap access again (I don't know the exact details of
>> that...)
>>
>
> 2. I've made a post to the IMAP-protocol list about this topic (it felt
> more relevant there than the Kitten working group): <http://mailman13.u.
> washington.edu/pipermail/imap-protocol/2014-April/002243.html>. From
> responses in the past 12 hours, it does seem like there is agreement by
> client implementers that some of these issues need to be resolved.
>
> 3. I've been told by both Bienvenu and Brandon that the OAuth people have
> been brought into the discussion, although they haven't responded publicly
> yet.
>
> It looks to me that it will be possible to see many of the concerns I have
> about OAuth discussed and addressed.
>
> As a side note, it also looks like other IMAP servers are planning on
> supporting OAuth 2.0. Outlook.com recently rolled out support for it as
> well, and I think there was another server the name of which I don't recall
> right now.
>
>
> --
> Joshua Cranmer
> Thunderbird and DXR developer
> Source code archæologist
>
> _______________________________________________
> tb-planning mailing list
> tb-planning at mozilla.org
> https://mail.mozilla.org/listinfo/tb-planning
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20140502/f28a294d/attachment.html>


More information about the tb-planning mailing list