Closed Bug 1096894 Opened 10 years ago Closed 2 years ago

Google Mail includes SeaMonkey Mail among "less secure apps"

Categories

(SeaMonkey :: MailNews: General, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: fedrip, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0 SeaMonkey/2.30
Build ID: 20141013232806

Steps to reproduce:

I'm trying to configure my GMAIL mail account on Seamonkey (ver.2.30)
Unfortunately it is impossible to use it unless deactivate a special setting on Google Accounts.
See https://support.google.com/accounts/answer/6010255?hl=en
It seems that Google is discouraging what's known as Basic Authentication, while actively encouraging the use of OAuth2.


Actual results:

It is impossible to set a Gmail account on SEamonkey Mail unless deactivate a specific setting that make the entire account less secure


Expected results:

Can you implement a safere authentication method ?
I'm not really following, but maybe there's something we need to pick up on our end?

Bug 1065846 - [email][v2.0] v2.0-specific GMail "less secure apps" mitigation

http://kb.mozillazine.org/Using_Gmail_with_Thunderbird_and_Mozilla_Suite#Less_Secure_Apps
(In reply to therube from comment #1)
> I'm not really following, but maybe there's something we need to pick up on
> our end?
> 
> Bug 1065846 - [email][v2.0] v2.0-specific GMail "less secure apps" mitigation
> 
> http://kb.mozillazine.org/
> Using_Gmail_with_Thunderbird_and_Mozilla_Suite#Less_Secure_Apps

that one is firefoxOS specific...
See Thunderbird bug 849540 rather (that would likely require MailNews Core changes). I have no problems with accessing the account using SM's IMAP and the "less secure apps" enabled, though annoyingly the web interface bugs me now and then to sign up for their 2-stage authentication.

How proprietary is it anyway? It seems that OAuth2 is more a framework than an explicit standard, thus implementing it in a Gmail-specific way may not make it work with other ISPs implementing it in a different way (see "Interoperability" in the article linked to below).

http://en.wikipedia.org/wiki/OAuth#OAuth_2.0
If you have used IMAP at least once with Google GMail, you're grandfathered in. New users have to use oauth2, I think. Thunderbird developers are currently discussing Googles insistence on using oauth2. The IMAP code is shared with Thunderbird so we'll pick up whatever solution the TB people decide on.
Summary: Google Mail include Seamonky'Mail amont "less secure apps" → Google Mail includes Seamonkey Mail among "less secure apps"
> If you have used IMAP at least once with Google GMail, you're grandfathered in.

That explains why I can't remember having ever explicitly set it.

> we'll pick up whatever solution the TB people decide on.

Assuming that OAuth 2.0 wants to open a web page for the second-step authentication, there /may/ be some application-specific step involved (unless it's just opening a standard browser tab, that should work, but would show up in the browser rather than in a mail window).

An interesting read from bug 849540 comment #43 is a 2012 blog entry from the former lead of OAuth at http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/ listing a couple of actual regressions from version 1.0 to 2.0 by removal of features or checks, and some harsh criticism on the weakness of the standard. This may be subjective, but indicative for this possibly not being a well defined standard (thus again asking for interoperability issues beyond Gmail).
Summary: Google Mail includes Seamonkey Mail among "less secure apps" → Google Mail includes SeaMonkey Mail among "less secure apps"
Heh, funny - there is already a mailnews/base/util/OAuth2.jsm module which started off in Lightning as calendar/base/modules/OAuth2.jsm in order to talk to the Google Calendar more than a year ago, then got migrated to MailNews Core as part of FileLink bug 1021684 in June 2014. Thus, the bulk of code needed for actually using this for other protocols may already be there?
(In reply to rsx11m from comment #6)
> Heh, funny - there is already a mailnews/base/util/OAuth2.jsm module which
> started off in Lightning as calendar/base/modules/OAuth2.jsm in order to
> talk to the Google Calendar more than a year ago, then got migrated to
> MailNews Core as part of FileLink bug 1021684 in June 2014. Thus, the bulk
> of code needed for actually using this for other protocols may already be
> there?

Yes see the discussions in #maildev  in the past few days with jcanmer, rkent, brong (fastmail developer).
There is a hard requirement for Oauth2 in Thunderbird 38 (equivalent to SeaMonkey 2.35)
I don't know if there are any specific bugs in MailNews Core that I can link to at the moment.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 7 → All
Hardware: x86 → All
See Also: → 849540
Version: SeaMonkey 2.30 Branch → Trunk

Google does not allow any standard IMAP/POP3 authentification anymore. (only with 2 factor authentification one can work around by app passwords)
Seamonkey now features OAuth2 to access Gmail accounts successfully. (https://bugzilla.mozilla.org/show_bug.cgi?id=1155491)

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.