Author Topic: You may lose access to some of your third-party apps...  (Read 3971 times)

0 Members and 1 Guest are viewing this topic.

Offline PKTKS

  • Super Contributor
  • ***
  • Posts: 1766
  • Country: br
Re: You may lose access to some of your third-party apps...
« Reply #25 on: March 09, 2022, 01:33:54 pm »
Protonmail.com

/thread

That was a nice addition...  :-+

Paul

Dangerous. Single point of failure.

Be careful.

yep  ::)  they are *ALL* a single point of problems...

Some decades  ::)  ago I was on both gmail and  http://safe-mail.net/ ..
Doing relay for my local servers..

for the sake of not going against the exponential uncle goog grw..
ditched the latter..

today I am considering yet again having redundant relays...
locally stuff is interfaced externally with Postfix but all internal goes QMail

DJB stuff is unbeatable

Paul  :-+
 

Offline PKTKS

  • Super Contributor
  • ***
  • Posts: 1766
  • Country: br
Re: You may lose access to some of your third-party apps...
« Reply #26 on: April 18, 2022, 10:18:13 am »
2 more cents on this OAuth  nonsense saga...  :o

After dealing with a lot of this *** for a while..
it seems now obvious to me that it is arguably useless..
reason being:
- it does not add security whatsoever better than already done with SSL/TLS channels
- it really locks out a lot of external reliable tools for 3rd part competitors ..
- namely all stand alone relays like QMail Postfix .. sendmail.. fetchmail
- it is a total pain to setup a reliable server outside the scope of their intended business..
- and very limited security de facto is (if not a considerable insecurity arises)

Have  a deep  look at the scripts and patches for fetchmail devel 7.x
Postifx and fetchmail kludges available here

http://mmogilvi.users.sourceforge.net/software/oauthbearer.html

Cheers
Pauil
 

Online magic

  • Super Contributor
  • ***
  • Posts: 4995
  • Country: pl
Re: You may lose access to some of your third-party apps...
« Reply #27 on: July 20, 2022, 08:54:16 am »
By the way, to access GMail with OAuth2 you will need a client ID issued by Google.

There are many tutorials how to generate your own, which I think is only valid for accessing the account that requested it without paying $$$ to Google. But if you don't want even the hassle of generating a free client ID valid for your own account, there is also an option to use a well known ID.

This one works :-DD
https://hg.mozilla.org/comm-central/file/tip/mailnews/base/src/OAuth2Providers.jsm
 
The following users thanked this post: Ed.Kloonk

Offline Rick Law

  • Super Contributor
  • ***
  • Posts: 3279
  • Country: us
Re: You may lose access to some of your third-party apps...
« Reply #28 on: July 20, 2022, 05:30:20 pm »
2 more cents on this OAuth  nonsense saga...  :o

After dealing with a lot of this *** for a while..
it seems now obvious to me that it is arguably useless..
reason being:
- it does not add security whatsoever better than already done with SSL/TLS channels
- it really locks out a lot of external reliable tools for 3rd part competitors ..
- namely all stand alone relays like QMail Postfix .. sendmail.. fetchmail
- it is a total pain to setup a reliable server outside the scope of their intended business..
- and very limited security de facto is (if not a considerable insecurity arises)

Have  a deep  look at the scripts and patches for fetchmail devel 7.x
Postifx and fetchmail kludges available here

http://mmogilvi.users.sourceforge.net/software/oauthbearer.html

Cheers
Pauil
[ RL: added underline to quoted text ]

I think that is their whole purpose of this exercise: lock out all 3rd party activities and channel everything you do to be within the google universe.

There was a saying (supposingly by Stern, the one NYU Business School is named after): "When you got the customers by the balls, their hearts and minds will folllow."
 
The following users thanked this post: SilverSolder

Offline SilverSolder

  • Super Contributor
  • ***
  • Posts: 5932
  • Country: 00
Re: You may lose access to some of your third-party apps...
« Reply #29 on: July 20, 2022, 05:48:30 pm »
2 more cents on this OAuth  nonsense saga...  :o

After dealing with a lot of this *** for a while..
it seems now obvious to me that it is arguably useless..
reason being:
- it does not add security whatsoever better than already done with SSL/TLS channels
- it really locks out a lot of external reliable tools for 3rd part competitors ..
- namely all stand alone relays like QMail Postfix .. sendmail.. fetchmail
- it is a total pain to setup a reliable server outside the scope of their intended business..
- and very limited security de facto is (if not a considerable insecurity arises)

Have  a deep  look at the scripts and patches for fetchmail devel 7.x
Postifx and fetchmail kludges available here

http://mmogilvi.users.sourceforge.net/software/oauthbearer.html

Cheers
Pauil
[ RL: added underline to quoted text ]

I think that is their whole purpose of this exercise: lock out all 3rd party activities and channel everything you do to be within the google universe.

There was a saying (supposingly by Stern, the one NYU Business School is named after): "When you got the customers by the balls, their hearts and minds will folllow."


Theodore Roosevelt
 

Online magic

  • Super Contributor
  • ***
  • Posts: 4995
  • Country: pl
Re: You may lose access to some of your third-party apps...
« Reply #30 on: July 20, 2022, 09:43:31 pm »
OAuth solves a real problem of having to store a copy of your password in every mail program on every machine, which can subsequently be used to completely pwn the account by anyone who manages to compromise one of the clients.

Problem is that OAuth is a byzantine solution from the land of "web applications" and ill-suited for the job. Much simpler, a separate password could be generated for just downloading mail, without access to the rest of the account. I suppose that was deemed too complex for the sheeple to manage.
 

Offline Nominal Animal

  • Super Contributor
  • ***
  • Posts: 4145
  • Country: fi
    • My home page and email address
Re: You may lose access to some of your third-party apps...
« Reply #31 on: July 21, 2022, 01:00:12 pm »
Even better would be if instead of passwords, one could use a public-key instead.

To simplify, public key cryptography is based on symmetric key pairs where anything encrypted with one half is decryptable by only the other half –– even knowing the encryption key won't help in the decryption! ––, and knowing one half does not reveal anything about the other half.

To verify that someone is in possession of one half of a public-key pair, you need the other half.  The keys are never transmitted even in encrypted form: instead, both ends just encrypt a prearranged message, and decrypt it to verify the other end knows the other half of the key.  The message does not need to be anything fixed: even a random message with a checksum (hash) will work just fine.  A symmetric cipher key used to encrypt the rest of the communication is what most forms of TLS uses.

The one service that supports these well is SSH.  "Identity" is the file containing each public key the user can use (per account on a remote machine), and ssh-keygen the tool used to generate the key pairs.  It adds the private (secret) half to ones identity file, and shows what to tell the server to accept; the server part containing the public half of the key pair.

Just think what it would be like when attackers subverting the servers only means they can control that service, and pretend to be that server to its clients, but not otherwise compromise the security of the clients at all.
 

Online magic

  • Super Contributor
  • ***
  • Posts: 4995
  • Country: pl
Re: You may lose access to some of your third-party apps...
« Reply #32 on: July 21, 2022, 01:14:20 pm »
I see no advantage.

The only potential problem is password reuse, but that is easy enough to prevent: make the server itself generate the password, and make it ugly enough that the user won't feel tempted. No usability issue here because the PW is only meant to be pasted into configuration of a mail client.

Google has such functionality, called "app passwords", but they only enable it on accounts with 2FA and even then it seems they prefer you to use OAuth instead |O
 

Offline Nominal Animal

  • Super Contributor
  • ***
  • Posts: 4145
  • Country: fi
    • My home page and email address
Re: You may lose access to some of your third-party apps...
« Reply #33 on: July 21, 2022, 02:20:13 pm »
I see no advantage.
Well, the difference is that if someone manages to steal the user password by observing the server software, they can later pretend to be the user as long as the user does not change the password.  (Typically, the client sends the password over a TLS-encrypted connection.  The server prepends/appends the salt it has stored to the password, and hashes the resulting plaintext, and compares the resulting hash to the hash stored along with the salt.)

No matter how thoroughly you observe what the server software does, you can't pretend to be the user, when public key pairs are used.

Most companies detect and react to intrusions into their machines rather quickly.  It is the informing their users part that they fumble, because it is Bad For Business.  With public key pairs, as soon as the server is re-secured, future user information is safe.  Nothing an attacker could find out on the server lets them pretend to be the user afterwards, unlike when passwords are used.  With passwords, attackers might continue to have access to user information afterwards by pretending to be users, using passwords they observed being used while having access to the server, until users change their passwords.

But in most other ways, both passwords and halves of public keys can be considered as authenticating tokens: authentication is just verification of possession of the token.
 

Online magic

  • Super Contributor
  • ***
  • Posts: 4995
  • Country: pl
Re: You may lose access to some of your third-party apps...
« Reply #34 on: July 21, 2022, 03:30:08 pm »
The passwords could be revoked following a server compromise. But I guess it's more hassle for the users in such case.
 

Offline PKTKS

  • Super Contributor
  • ***
  • Posts: 1766
  • Country: br
Re: You may lose access to some of your third-party apps...
« Reply #35 on: July 22, 2022, 08:14:07 am »
Wasted several hours across days
creating  those things without success

Could not use a way to make clients like claws and fetchmail 7.0 to access pop or imap

This is obviously a lock of email by proprietary apis forcing log in

Never saw a waste of time like this for already safe tls cons.. 

You know internet is privatized and soon proprietary chips will tag everything

Paul
 

Online magic

  • Super Contributor
  • ***
  • Posts: 4995
  • Country: pl
Re: You may lose access to some of your third-party apps...
« Reply #36 on: July 22, 2022, 08:34:27 am »
Claws, Thunderbird and Evolution support OAuth2.
If you need a client ID because your application doesn't have one, just use TB's.
 

Offline PKTKS

  • Super Contributor
  • ***
  • Posts: 1766
  • Country: br
Re: You may lose access to some of your third-party apps...
« Reply #37 on: July 22, 2022, 10:57:00 am »
Claws, Thunderbird and Evolution support OAuth2.
If you need a client ID because your application doesn't have one, just use TB's.

Claws and fetchmail RC claim to support OAuth..

Tried for days hours long.. all credentials in place everything seems ok..

Nothing works.

My opinion about this is unprintable

Paul
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf