why gmail claims balsa (and other email clients) are "less secure"



I'm starting a new thread for this, since all the other attempts to track down TLSv1.2 are essentially irrelevant to this discussion. While Google does list a few specific email clients, I believe this label applies to almost all PC/iOS/android email clients.

I finally did enough googling to discover that Google applies the "less secure" label to any email client that does not use OAuth 2.0. (You can apparently get around this by setting up two factor authentication, but I have not yet looked into the details to see exactly how Google does this.) It seems Google is completely ignoring the use of an encrypted channel, and is just complaining about the "third part app" (balsa in this case) having your Google password.

It's not completely clear to me how much effort it would be for balsa to incorporate OAuth 2.0, but given the discussions I've seen, it seems it really is simple and not truly a security issue to just tick the "allow less secure apps" in the gmail config.

Most of the discussions I've found on this end up taking a very cynical view of Google's reasoning behind this, and I tend to agree.

Jack


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]