Closed Bug 1258255 Opened 9 years ago Closed 3 years ago

Google Chat complains that Thunderbird "doesn't meet modern security standards" (should use OAuth)

Categories

(Chat Core :: XMPP, defect)

Product:
Chat Core
Component:
XMPP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1238631

People

(Reporter: joel.forums, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

Google_error_message.JPG
30.11 KB, image/jpeg
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36 Steps to reproduce: Tried to setup a new Google Chat account Actual results: Authentication failed and google emailed me a message: "Someone just tried to sign in to your Google Account from an app that doesn't meet modern security standards. We strongly recommend that you use a secure app, like Gmail, to access your account. All apps made by Google meet these security standards. Using a less secure app, on the other hand, could leave your account vulnerable." This message could scare away users that are new to Thunderbird. There also seems to be issues with the facebook chat login as that authentication also fails. Expected results: Both google and facebook chat sign in work and I can chat from Thunderbird instead of being warned that Thunderbird is an insecure program that should not use.
I have experienced the same rejection as Joel using Win 7 professional, Thunderbird 38.6.0
I updated to TBird 38.7.0 and still fails to successfully login to Google Chat Application Basics Name Thunderbird Version 38.7.0 User Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 Profile Folder (Local drive) Application Build ID 20160310150025 Enabled Plugins about:plugins Build Configuration about:buildconfig Memory Use about:memory Mail and News Accounts ID Incoming server Outgoing servers Name Connection security Authentication method Name Connection security Authentication method Default? account1 (pop3) mail.askoldmoldy.net:110 None Normal password askoldmoldy.net:587 STARTTLS, if available Normal password true askoldmoldy.net:587 STARTTLS, if available Normal password false account2 (none) Local Folders None Normal password account4 (pop3) mail.askoldmoldy.net:110 None Normal password askoldmoldy.net:465 SSL/TLS Normal password true askoldmoldy.net:465 SSL/TLS Normal password false account11 (rss) News & Blogs None Normal password account12 (im) prpl-gtalk None 0 Crash Reports Report ID Submitted All Crash Reports Extensions Name Version Enabled ID Google Search for Thunderbird 1.0 true gsearch@standard8.plus.com Ignore Aero (Hooks) 1.1.0.1 true ignoreaero-x@rsjtdrjgfuzkfg.com Lightning 4.0.7 true {e2fda1a4-762b-4020-b5ad-a41df1933103} Noia Fox options 3.0.2 true NoiaFoxoption@davidvincent.tld Theme Font & Size Changer 44.6 true {f69e22c7-bc50-414a-9269-0f5c344cd94c} LookOut 1.2.13 false lookout@aron.rubin Silvermel and Charamel XT 1.6.1 false silvermelxt@pardal.de
(In reply to Joel from comment #0) > Authentication failed and google emailed me a message: > > "Someone just tried to sign in to your Google Account from an app that > doesn't meet modern security standards. We strongly recommend that you use a > secure app, like Gmail, to access your account. All apps made by Google meet > these security standards. Using a less secure app, on the other hand, could > leave your account vulnerable." > > This message could scare away users that are new to Thunderbird. Yeah, Google likes to break things that have worked for long periods of time and not tell other people. You have to tick a box somewhere in your account, I think. Mrinal recently did this, what were the steps you had to follow to enable XMPP on your account? This probably has the same solution as bug 1238631. (We need to enable OAuth2 via XMPP log-ins.) > There also > seems to be issues with the facebook chat login as that authentication also > fails. This is unrelated, Facebook shut off the interface we were using. (See bug 1236133; bug 1141674 will re-add support for it.)
Status: UNCONFIRMED → NEW
Component: Untriaged → XMPP
Ever confirmed: true
Flags: needinfo?(mrinal.dhar)
Product: Thunderbird → Chat Core
Version: 48 Branch → trunk
I got it to work by requesting an "App specific password" from google. You can follow this link to generate one for InstantBird: https://security.google.com/settings/security/apppasswords Just enter that password as your account password when trying to log in to GTalk on IB and it should work. (You can see that password only once, at the time it's generated. So if you lose it and need to log in to IB again, you can do that by simply generating a new app password via the same link)
Flags: needinfo?(mrinal.dhar)
(In reply to Mrinal Dhar from comment #4) > I got it to work by requesting an "App specific password" from google. > > You can follow this link to generate one for InstantBird: > https://security.google.com/settings/security/apppasswords > > Just enter that password as your account password when trying to log in to > GTalk on IB and it should work. > > (You can see that password only once, at the time it's generated. So if you > lose it and need to log in to IB again, you can do that by simply generating > a new app password via the same link) This proposed work around fails to apply to Thunderbird on my system. This is not a mobile app. I am running a desktop version of Thunderbird. When I followed the link, Google gives me an error message to indicate that there is no such setting.
This is Google's error screen when I follow the link in the comment from Mrinal Dhar
Ah, I forgot to mention, this is for accounts with two factor authentication enabled. Are you using it on your account? I just did that for mine, which did use two-factor auth, and I didn't have to change any other security settings. So I'm not sure what's causing it to fail in your use case.
Not using two-factor authentication. Also note, that the protocol is not XMPP but Google Talk
(In reply to Don Moldover from comment #8) > Also note, that the protocol is not XMPP but Google Talk Google Talk is just a nice wrapping around XMPP that automatically configures the server and a couple of other options. It's the same underlying protocol. I've looked around a bit and haven't been able to find anything (I was hoping for something like https://support.google.com/mail/troubleshooter/1668960?rd=1, which is for IMAP).
I tried changing my password. That didn't help. I tried deleting the Chat account and adding it back. That didn't help I'm willing to work on this with you but it seems generally a little beyond my depth. Is the debug log of any use? (Thunderbird 38.7.0 (20160310150025), Gecko 38.7.0 (20160310150025) on Windows NT 6.1; WOW64) [3/25/2016 12:28:06 PM] LOG (@ prpl-gtalk: Socket.connect resource:///modules/socket.jsm:148) Connecting to: talk.google.com:443 [3/25/2016 12:28:06 PM] DEBUG (@ prpl-gtalk: Socket.onTransportStatus resource:///modules/socket.jsm:557) onTransportStatus(STATUS_RESOLVING) [3/25/2016 12:28:06 PM] DEBUG (@ prpl-gtalk: Socket.onTransportStatus resource:///modules/socket.jsm:557) onTransportStatus(STATUS_RESOLVED) [3/25/2016 12:28:06 PM] DEBUG (@ prpl-gtalk: Socket.onTransportStatus resource:///modules/socket.jsm:557) onTransportStatus(STATUS_CONNECTING_TO) [3/25/2016 12:28:06 PM] DEBUG (@ prpl-gtalk: Socket.onTransportStatus resource:///modules/socket.jsm:557) onTransportStatus(STATUS_CONNECTED_TO) [3/25/2016 12:28:06 PM] LOG (@ prpl-gtalk: Socket.sendString resource:///modules/socket.jsm:255) Sending: <?xml version="1.0"?><stream:stream to="gmail.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0"> [3/25/2016 12:28:06 PM] DEBUG (@ prpl-gtalk: Socket.onTransportStatus resource:///modules/socket.jsm:557) onTransportStatus(STATUS_SENDING_TO) [3/25/2016 12:28:06 PM] DEBUG (@ prpl-gtalk: Socket.onTransportStatus resource:///modules/socket.jsm:557) onTransportStatus(STATUS_RECEIVING_FROM) [3/25/2016 12:28:06 PM] DEBUG (@ prpl-gtalk: Socket.onStartRequest resource:///modules/socket.jsm:480) onStartRequest [3/25/2016 12:28:06 PM] LOG (@ prpl-gtalk: XMPPParser.prototype._logReceivedData resource:///modules/xmpp-xml.jsm:312) received: <stream:stream xmlns="http://etherx.jabber.org/streams" from="gmail.com" id="2C0E6EA5CF8CCB06" version="1.0"> [3/25/2016 12:28:06 PM] LOG (@ prpl-gtalk: XMPPParser.prototype._logReceivedData resource:///modules/xmpp-xml.jsm:312) received: <stream:features xmlns="http://etherx.jabber.org/streams"> <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"> <mechanism xmlns="urn:ietf:params:xml:ns:xmpp-sasl"> X-OAUTH2 </mechanism> <mechanism xmlns="urn:ietf:params:xml:ns:xmpp-sasl"> X-GOOGLE-TOKEN </mechanism> <mechanism xmlns="urn:ietf:params:xml:ns:xmpp-sasl"> PLAIN </mechanism> </mechanisms> </stream:features> [3/25/2016 12:28:06 PM] LOG (@ prpl-gtalk: Socket.sendString resource:///modules/socket.jsm:255) Sending: <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">AGRvbi5tb2xkb3ZlcgBlM0dvb0NoZWsjIQ==</auth> [3/25/2016 12:28:06 PM] DEBUG (@ prpl-gtalk: Socket.onTransportStatus resource:///modules/socket.jsm:557) onTransportStatus(STATUS_SENDING_TO) [3/25/2016 12:28:06 PM] DEBUG (@ prpl-gtalk: Socket.onTransportStatus resource:///modules/socket.jsm:557) onTransportStatus(STATUS_RECEIVING_FROM) [3/25/2016 12:28:06 PM] LOG (@ prpl-gtalk: XMPPParser.prototype._logReceivedData resource:///modules/xmpp-xml.jsm:312) received: <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"> <not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/> </failure> [3/25/2016 12:28:06 PM] LOG (@ prpl-gtalk: Socket.disconnect resource:///modules/socket.jsm:185) Disconnect
Summary: Google Chat complains that Thunderbird "doesn't meet modern security standards" → Google Chat complains that Thunderbird "doesn't meet modern security standards" (should use OAuth)
A workaround from bug 1268339: (In reply to Don Moldover from bug 1268339, comment #3) > There is a work-around, based on Florian's comment: > > The setting appears to be part of My Account --> Sign-in & Security --> > Connected apps & sites > ---> Allow less secure apps: ON > > As soon as I flipped this switch, I am able to connect via Google Chat. > Thanks for that comment

A discussion on Matrix inspired by bug 1715923 has uncovered https://developers.google.com/talk/jep_extensions/oauth which would allow us to authenticate with OAuth instead.

Seems we had two bugs about this, duping into bug 1238631 where work on this is happening.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: