You may lose access to some of your third-party apps...

[PKTKS]

Does anyone knows with some degree of confidence ...

How it will be the situation of email agents like FETCHMAIL  when this change takes place ?

I use FETCHMAIL by default to centralize and filter my stuff for decades..
it will be a real tragic loss if they cut fetchmail without a solution 

Thanks
Paul

[SilverSolder]

"You may lose access to some of your third-party apps"   on what device / OS,  and why?

[PKTKS]

"You may lose access to some of your third-party apps"   on what device / OS,  and why?

ops sorry not to post that ...

but by now every google user received or will receive their broadcast email warning with these titles..

On May 30, you may lose access to apps that are using less secure sign-in technology

A simple google search with this title tells that several  email clients as Outlook 2006, thunderbirds as well... and others will not be able to access gmail..

I was wondering if mail transport agents will be penalized with this paranoid settings  as well

I use fetchmail to organize things for decades...
Paul

[SiliconWizard]

Yep, got the same.

From what I gathered, third-party apps *should* still be usable if they implement OAuth 2.0. Note the *should* - as what Google will actually enforce is not crystal clear at this point.

I don't know how difficult it is to add OAuth 2.0 and what exactly are the implications (meaning: what kind of applications just could never implement it?)

[PKTKS]

Yep, got the same.

From what I gathered, third-party apps *should* still be usable if they implement OAuth 2.0. Note the *should* - as what Google will actually enforce is not crystal clear at this point.

I don't know how difficult it is to add OAuth 2.0 and what exactly are the implications (meaning: what kind of applications just could never implement it?)

geez for automated email transport agents  which does not and never will use those captchas and ati-robots paranoias...  i guess... never... 

They exist for the purpose of automation .. so far the challenge response authentication was enough for POP and IMAP...

WTF  now ?

Paul

[SilverSolder]

Making life more difficult and/or more expensive, one step at a time, seems to be the story of information technology over the last 10 years...

[magic]

I have never done that but there is supposedly OAuth support in some mail clients like Thunderbird.

Depending on the level of support in the application, it seems you will either need to log in to Goolag's web interface, generate some magic keys manually and put them in the application's config, or the application may pop up a web browser window asking you to log in to Goolag and handle all the key exchange behind the scenes with a single click.

Not sure what stops the application from trying to phish you
Hopefully it's not a problem with a desktop mail client.

[pqass]

Don't everyone get yer panties in a bunch.   

I got the same email this morning.  Just log-on to your Google account, change your security setting to 2-Step and then create an App Password for "mail".   It will generate a random 16-alphanumeric password for you. Dump that in your .fetchmailrc in place of your old password.  Works for me.

https://support.google.com/accounts/answer/185833?hl=en

EDIT: You'll need to create another App Password (use: "Other (custom name)" then name it) for the SMTP (outbound) mail.

[janoc]

Don't everyone get yer panties in a bunch.   

I got the same email this morning.  Just log-on to your Google account, change your security setting to 2-Step and then create an App Password for "mail".   It will generate a random 16-alphanumeric password for you. Dump that in your .fetchmailrc in place of your old password.  Works for me.

https://support.google.com/accounts/answer/185833?hl=en

I was just going to write this but you were faster.

The e-mail concerns only applications that use your gmail login/password for accessing your e-mail.

For those all you have to do is to generate the app password if you didn't already. That is unique for each app - so even if one app gets compromised, your account doesn't. Also app passwords allow only e-mail access but not other things normal GMail login does - e.g. GDrive, Youtube, etc.

This works completely fine in desktop e-mail clients like Thunderbird or fetchmail since years.

Nobody is going to implement OAUTH 2.0 in automated tools like fetchmail - that requires logging in through the web site and going through the rather complex authentication flow to obtain a token that has to be given to the server on each access in lieu of login/password.

It is more secure because unlike passwords, the tokens are temporary, unique to each session, easily revocable and likely generated after the user has been authenticated with 2 factor authentication (you do have that set up right?) - but also very impractical to retrofit to older tooling that doesn't use the http protocol.

[magic]

Just log-on to your Google account, change your security setting to 2-Step and then create an App Password for "mail".

Just turn on another pile of idiocy and you will be happy
Plus they say "app passwords" are not recommended, so guess what's next to go the way of the dodo.

Nobody is going to implement OAUTH 2.0 in automated tools like fetchmail - that requires logging in through the web site and going through the rather complex authentication flow to obtain a token that has to be given to the server on each access in lieu of login/password.

Wrong.
http://mmogilvi.users.sourceforge.net/software/oauthbearer.html

[pqass]

Just turn on another pile of idiocy and you will be happy
Plus they say "app passwords" are not recommended, so guess what's next to go the way of the dodo.

Of course they would say that!  They won't be happy until only Google/Facebook/Apple are allowed to authenticate you. By taking it out of their hands entirely, it guarantees users can only use hard passwords.  Nevertheless, said can is down the road a few more years.

[magic]

More info on how to implement OAuth in native clients and recommended "best practices".
Quite an entertaining read, particularly section 8.12

https://datatracker.ietf.org/doc/html/rfc8252

[Rick Law]

I too am planning action to deal with this "You may lose access to some of your third-party apps..."

Now that I am retired, email is the only "app" I need from google.  Currently, gmail is hosting my domain's email.  I pickup email using SSL POP and send using SMTP via older outlook with mere logon password security.    My domain has about a dozen email ID/logons.

I am thinking best to do is to move my MX and use another service to host my domain's email.  Anyone has a suggestion on a low cost mail host with SSL POP and SMTP capability?  Ability to manage the domain's email accounts is necessary.  Mere single digit gb storage (for the entire domain) is plenty just to store mail until pickup by outlook.

Thanks for any suggestion.

[PKTKS]

I too am planning action to deal with this "You may lose access to some of your third-party apps..."

Now that I am retired, email is the only "app" I need from google.  Currently, gmail is hosting my domain's email.  I pickup email using SSL POP and send using SMTP via older outlook with mere logon password security.    My domain has about a dozen email ID/logons.

I am thinking best to do is to move my MX and use another service to host my domain's email.  Anyone has a suggestion on a low cost mail host with SSL POP and SMTP capability?  Ability to manage the domain's email accounts is necessary.  Mere single digit gb storage (for the entire domain) is plenty just to store mail until pickup by outlook.

Thanks for any suggestion.

Me too and that having any alternative would be great..

Problem is ... these couple of mega corps are acting and grouping more like a guild

And a kind of guild I have never seen.. close to the financial guilds or even more specialized.

We just can not run from them .. having our social financial private and even health data into their total surveilled eyes... 

The folks for sure even have their guild own representatives law makers w/ their agendas..
Which ultimately are privatizing the Internet as we know it...

Alternatives are urgently required..

Paul

[SilverSolder]

It's not that hard to find an email provider, or even run an email server yourself if you like?

[tggzzz]

The last time I tried using the new mechanism, it worked in the simple case but failed dismally in my use case.

Key points:

• seamonkey/thunderbird
• IMAP, with local copy and copy left on server
• extensive use of gmail labels, which appear as folders in seamonkey/thunderbird

I could login to the inbox as expected, but each time I changed to a different folder (i.e. label), I had to login again. Aargh!

Has anyone else experienced that?
What's the workaround?

[PKTKS]

It's not that hard to find an email provider, or even run an email server yourself if you like?

I already rumn my own mail servers internally  but the problem is the totality of accounts i have are already set with my gmail account

So..  instead of going against the flow.. my internal servers just relay the accounts to  qmail...

We just can not run that easy from such guild privatizing the base internet services

Paul

[MuseChaser]

Protonmail.com

/thread

[PKTKS]

Protonmail.com

/thread

That was a nice addition... 

Paul

[SiliconWizard]

I have never done that but there is supposedly OAuth support in some mail clients like Thunderbird.

Depending on the level of support in the application, it seems you will either need to log in to Goolag's web interface, generate some magic keys manually and put them in the application's config, or the application may pop up a web browser window asking you to log in to Goolag and handle all the key exchange behind the scenes with a single click.

I have one Google mail account that I access through Thunderbird using OAuth 2.0. It works fine. Problem is, there is indeed a pop up window, but not everytime you connect. Apparently just the first time you connect with a particular application on a particular device. I had to do this only once that I can remember, when I set up the account.

I don't know the details of OAuth enough to understand how that really works. But that could certainly be annoying/or even unworkable with some fully automated tools.

Of course, the wisest move would probably just to get rid of anything Google.

[tggzzz]

I have one Google mail account that I access through Thunderbird using OAuth 2.0. It works fine. Problem is, there is indeed a pop up window, but not everytime you connect. Apparently just the first time you connect with a particular application on a particular device. I had to do this only once that I can remember, when I set up the account.

Could you do me a favour and try that with gmail labels, which appear as folders in the thunderbird/seamonkey email client.

I've had problems with that, as per https://www.eevblog.com/forum/networking/you-may-lose-access-to-some-of-your-third-party-apps/msg4049557/#msg4049557

Thanks in advance

[magic]

I don't know the details of OAuth enough to understand how that really works. But that could certainly be annoying/or even unworkable with some fully automated tools.

1. The application sends you to Google login page with some magic URL parameters.
2. You log in, Google generates a magic code ("refresh token") which it prints on the screen for you to type into the application or uses some MalwareScript to transfer it from the browser to the application over http://127.0.0.1/ or similar means.
3. The application sends some HTTP requests with the refresh token to obtain an access token valid for a short time each time it needs to do something.
4. Google may revoke the refresh token and any derived access tokens when you change your account password, revoke Thunderbird access or if it simply feels like doing so.

It's not even a bad scheme, but the implementation is kinda stupid because it's designed solely with idiots in mind and built on all those webshit technologies. In particular, nothing stops the application from showing you something that looks like a browser but is not a browser, taking your password and using it to handle conversion into refresh tokens fully automatically. Or using that password for some other purposes. There may be captcha on Google login page to prevent the former at least. It would also be nice to have a simple UI for manually generating such tokens for applications that don't fully support all that HTTP/OAuth nonsense.

If something goes wrong and you get a new login request each time you view a different directory, have fun debugging it
Maybe Thunderbird forgets its tokens or screws something, maybe GMail is buggy and revokes the token.
Try customer support

[Rick Law]

It's not that hard to find an email provider, or even run an email server yourself if you like?

I already rumn my own mail servers internally  but the problem is the totality of accounts i have are already set with my gmail account

So..  instead of going against the flow.. my internal servers just relay the accounts to  qmail...

We just can not run that easy from such guild privatizing the base internet services

Paul

I used to run my own email server.  I was about to switch back to my own server during the virus crisis, but then it occur to me: if I kick the bucket, there would be no one to support the system and within weeks, my family's email (and home server) would be running into difficulties. 

Virus or no virus, I have long since reached retirement age.  Not waking up is a distinct possibility and the probability is only increasing as the clock ticks.  So, I begun re-organizing my home systems to minimize dependence on my being here.  Don't get me wrong, I don't have a dark outlook in life.  I am happy to be around - but I am just being realistic.

[PKTKS]

I used to run my own email server.  I was about to switch back to my own server during the virus crisis, but then it occur to me: if I kick the bucket, there would be no one to support the system and within weeks, my family's email (and home server) would be running into difficulties. 

Virus or no virus, I have long since reached retirement age.  Not waking up is a distinct possibility and the probability is only increasing as the clock ticks.  So, I begun re-organizing my home systems to minimize dependence on my being here.  Don't get me wrong, I don't have a dark outlook in life.  I am happy to be around - but I am just being realistic.

Nothing odd about that..

I run the internal servers several decades straight..
And having them relaying all external accounts is like having the grunt part delegated..

kinda hope for the best prepare for the odds..

Even if their greed change things ahead I have the whole thing locally and switch  the delegated part...

Worked fine so far..

but these latest paranoid settings are not good..

Paul

[Ed.Kloonk]

Protonmail.com

/thread

That was a nice addition... 

Paul

Dangerous. Single point of failure.

Be careful.

[PKTKS]

Protonmail.com

/thread

That was a nice addition... 

Paul

Dangerous. Single point of failure.

Be careful.

yep    they are *ALL* a single point of problems...

Some decades    ago I was on both gmail and  http://safe-mail.net/ ..
Doing relay for my local servers..

for the sake of not going against the exponential uncle goog grw..
ditched the latter..

today I am considering yet again having redundant relays...
locally stuff is interfaced externally with Postfix but all internal goes QMail

DJB stuff is unbeatable

Paul 

[PKTKS]

2 more cents on this OAuth  nonsense saga... 

After dealing with a lot of this *** for a while..
it seems now obvious to me that it is arguably useless..
reason being:
- it does not add security whatsoever better than already done with SSL/TLS channels
- it really locks out a lot of external reliable tools for 3rd part competitors ..
- namely all stand alone relays like QMail Postfix .. sendmail.. fetchmail
- it is a total pain to setup a reliable server outside the scope of their intended business..
- and very limited security de facto is (if not a considerable insecurity arises)

Have  a deep  look at the scripts and patches for fetchmail devel 7.x
Postifx and fetchmail kludges available here

http://mmogilvi.users.sourceforge.net/software/oauthbearer.html

Cheers
Pauil

[magic]

By the way, to access GMail with OAuth2 you will need a client ID issued by Google.

There are many tutorials how to generate your own, which I think is only valid for accessing the account that requested it without paying $$$ to Google. But if you don't want even the hassle of generating a free client ID valid for your own account, there is also an option to use a well known ID.

This one works
https://hg.mozilla.org/comm-central/file/tip/mailnews/base/src/OAuth2Providers.jsm

[Rick Law]

2 more cents on this OAuth  nonsense saga... 

After dealing with a lot of this *** for a while..
it seems now obvious to me that it is arguably useless..
reason being:
- it does not add security whatsoever better than already done with SSL/TLS channels
- it really locks out a lot of external reliable tools for 3rd part competitors ..
- namely all stand alone relays like QMail Postfix .. sendmail.. fetchmail
- it is a total pain to setup a reliable server outside the scope of their intended business..
- and very limited security de facto is (if not a considerable insecurity arises)

Have  a deep  look at the scripts and patches for fetchmail devel 7.x
Postifx and fetchmail kludges available here

http://mmogilvi.users.sourceforge.net/software/oauthbearer.html

Cheers
Pauil

[ RL: added underline to quoted text ]

I think that is their whole purpose of this exercise: lock out all 3rd party activities and channel everything you do to be within the google universe.

There was a saying (supposingly by Stern, the one NYU Business School is named after): "When you got the customers by the balls, their hearts and minds will folllow."

[SilverSolder]

2 more cents on this OAuth  nonsense saga... 

After dealing with a lot of this *** for a while..
it seems now obvious to me that it is arguably useless..
reason being:
- it does not add security whatsoever better than already done with SSL/TLS channels
- it really locks out a lot of external reliable tools for 3rd part competitors ..
- namely all stand alone relays like QMail Postfix .. sendmail.. fetchmail
- it is a total pain to setup a reliable server outside the scope of their intended business..
- and very limited security de facto is (if not a considerable insecurity arises)

Have  a deep  look at the scripts and patches for fetchmail devel 7.x
Postifx and fetchmail kludges available here

http://mmogilvi.users.sourceforge.net/software/oauthbearer.html

Cheers
Pauil

[ RL: added underline to quoted text ]

I think that is their whole purpose of this exercise: lock out all 3rd party activities and channel everything you do to be within the google universe.

There was a saying (supposingly by Stern, the one NYU Business School is named after): "When you got the customers by the balls, their hearts and minds will folllow."

Theodore Roosevelt

[magic]

OAuth solves a real problem of having to store a copy of your password in every mail program on every machine, which can subsequently be used to completely pwn the account by anyone who manages to compromise one of the clients.

Problem is that OAuth is a byzantine solution from the land of "web applications" and ill-suited for the job. Much simpler, a separate password could be generated for just downloading mail, without access to the rest of the account. I suppose that was deemed too complex for the sheeple to manage.

[Nominal Animal]

Even better would be if instead of passwords, one could use a public-key instead.

To simplify, public key cryptography is based on symmetric key pairs where anything encrypted with one half is decryptable by only the other half –– even knowing the encryption key won't help in the decryption! ––, and knowing one half does not reveal anything about the other half.

To verify that someone is in possession of one half of a public-key pair, you need the other half.  The keys are never transmitted even in encrypted form: instead, both ends just encrypt a prearranged message, and decrypt it to verify the other end knows the other half of the key.  The message does not need to be anything fixed: even a random message with a checksum (hash) will work just fine.  A symmetric cipher key used to encrypt the rest of the communication is what most forms of TLS uses.

The one service that supports these well is SSH.  "Identity" is the file containing each public key the user can use (per account on a remote machine), and ssh-keygen the tool used to generate the key pairs.  It adds the private (secret) half to ones identity file, and shows what to tell the server to accept; the server part containing the public half of the key pair.

Just think what it would be like when attackers subverting the servers only means they can control that service, and pretend to be that server to its clients, but not otherwise compromise the security of the clients at all.

[magic]

I see no advantage.

The only potential problem is password reuse, but that is easy enough to prevent: make the server itself generate the password, and make it ugly enough that the user won't feel tempted. No usability issue here because the PW is only meant to be pasted into configuration of a mail client.

Google has such functionality, called "app passwords", but they only enable it on accounts with 2FA and even then it seems they prefer you to use OAuth instead

[Nominal Animal]

I see no advantage.

Well, the difference is that if someone manages to steal the user password by observing the server software, they can later pretend to be the user as long as the user does not change the password.  (Typically, the client sends the password over a TLS-encrypted connection.  The server prepends/appends the salt it has stored to the password, and hashes the resulting plaintext, and compares the resulting hash to the hash stored along with the salt.)

No matter how thoroughly you observe what the server software does, you can't pretend to be the user, when public key pairs are used.

Most companies detect and react to intrusions into their machines rather quickly.  It is the informing their users part that they fumble, because it is Bad For Business.  With public key pairs, as soon as the server is re-secured, future user information is safe.  Nothing an attacker could find out on the server lets them pretend to be the user afterwards, unlike when passwords are used.  With passwords, attackers might continue to have access to user information afterwards by pretending to be users, using passwords they observed being used while having access to the server, until users change their passwords.

But in most other ways, both passwords and halves of public keys can be considered as authenticating tokens: authentication is just verification of possession of the token.

[magic]

The passwords could be revoked following a server compromise. But I guess it's more hassle for the users in such case.

[PKTKS]

Wasted several hours across days
creating  those things without success

Could not use a way to make clients like claws and fetchmail 7.0 to access pop or imap

This is obviously a lock of email by proprietary apis forcing log in

Never saw a waste of time like this for already safe tls cons.. 

You know internet is privatized and soon proprietary chips will tag everything

Paul

[magic]

Claws, Thunderbird and Evolution support OAuth2.
If you need a client ID because your application doesn't have one, just use TB's.

[PKTKS]

Claws, Thunderbird and Evolution support OAuth2.
If you need a client ID because your application doesn't have one, just use TB's.

Claws and fetchmail RC claim to support OAuth..

Tried for days hours long.. all credentials in place everything seems ok..

Nothing works.

My opinion about this is unprintable

Paul