poma: >> OK read it for yourself what it's all about: >> Log in to Google Talk (XMPP) and Gmail (IMAP/SMTP) using OAuth >> https://bugzilla.mozilla.org/show_bug.cgi?id=849540 & poma, again: > Tim, Markus care to comment? :) My eyes glazed over less than half way through that page. Pithy comments aside, I have, by then, forgotten what the hell the most of that page was trying to discuss. I shall diverge, and relate a tale about Yahoo mail. Some time ago Yahoo changed something so that if you wanted to send a message to a group managed by Yahoo (their name for one of their mailing lists, as if it were a newsgroup), and send it from a Yahoo address (like I'm doing right now), you had to send it through their own SMTP server, not your own (or your ISPs), and their SMTP server requires you to log in. Hence, emails sent to their group are authenticated (albeit poorly). Alternatively, you could post to the group from some other email address that gets (similarly) authenticated by whatever other SMTP server you post through (I had no SMTP server available to me that has that log-in before sending feature), so that you're not a completely anonymous spammer, just semi-anon... All it wanted was an SMTP server to say johndoe@xxxxxxxxxxx is known to example.com, there's nothing further to say that example.com has actually verified whomever claims to be johndoe. Previously, you could enter any email address in the "from" field (as long as it had been previously signed up to the mailing list), and send through any SMTP server. They made /that/ change as an anti-spam effort (which has failed, by the way, spam still gets though), rather than tighten up their "join the group" mechanism to make it a real nuisance for hit and run spammers. However, it falls apart in numerous places: Firstly, spammers still get spam through. Secondly, not everyone has an SMTP server that authenticates them before allowing mail to go through. Whether that be their usual SMTP server doesn't do it, or a lack of access to any server that they can find. Thirdly, for me to set Yahoo as my SMTP server for that posting address required me to, also, connect to it using a "secure" method. But which secure method? I'm using Evolution, and I had to go through an annoying trial and error poke-it-and-see try out of different combinations of things before I got one that worked. Then months later they changed something, and I had to go through that mess again. There are three different TCP/IP ports that I could try, 25 is the old unencrypted one, so it ought to be either 465 or 587. Then there was the security technique, no encryption (doesn't seem the right choice,) or STARTTLS after connecting, or SSL on a dedicated port. Then there was six different authentication types (PLAIN, NTLM/SPA, GSSAPI, DIGEST MD5, CRAM MD5, Login, and POP before SMTP). And, although, there's a test button next to it, to help narrow it down by crossing out types that the server doesn't support, that function doesn't always work. Much of that stuff I'd never used or heard of, just about all of it is completely foreign to a typical computer user, much of it is named differently than the peculiar error message you get back from Yahoo when your post fails to be accepted, likewise with trying to read through Yahoo's help pages. It's an utter nightmare. There is no tick box to "make it secure" and have it just work, because there's a plethora of wildly different and inappropriate options. There's a plethora of different help pages, because each mail client is different, and you're screwed if they don't have a help page for your client. It's well past the days where a service provider can simply tell you SMTP and POP/IMAP addresses, and leave you to find the places for them in your client, and you'd be able to work that out for yourself, because you only had three standard things to look for. Now you've got to look for some feature that's named differently on different clients and services, despite being the same thing, or you've got to sort through different security choices between the server and yourself, to find ones that are supported by both sides. Back to google/gmail... When I tried them out, long ago, you could log into their web interface, using a familiar process of providing your email address and a password. Years of prior experience of various web and mail services has been that if you wanted to use an email client, instead of a web browser, you'd simply use that same email address and password, and fill in the mail server addresses, and you were done. But google doesn't want that, because mail clients typically send out the password in the clear. Their approach, instead of fighting with a gazillion security options in the client config, was to make you get an extra different password for your account, put that into your email program, and run the lesser risk (in their opinion) of losing a password that would only let you read mail, keeping the other password that lets you do things with your account, separate (of course, if the user sends out the wrong [master] password in their mail logon attempt, snoopers have grabbed it anyway). There's some logic in having two passwords, but it's a still a pain for people to deal with, just a *different* kind of bastard. And they extend it further, with google recognising different clients as you try to connect to your google account and requiring you set up individual passwords for each different client you use (because your google account gives you a mail service, and an instant messaging service, on the same account, but with different passwords). Of course you're still screwed if you get one of those secondary passwords captured by nefarious types, even if you're only partially screwed. So some services offer the two-step logon, where you log on in the way that you'd normally expect, but before you can continue, you have to authenticate with something completely separate, as well. Such as, as you connect up, you're SMSed a one-time password to enter, as well. Or, you need to visit some webpage, before you can email. Or, even if you're doing something on the web, you have to authenticate via a second webservice (such as the old Microsoft Passport debacle, I think this is the kind of issue that long-winded bugzilla link you provided is about), which offered central authentication for numerous services, and suddenly you find that you're unexpectedly logged in while browsing some third or forth website because they share authentication authorities, or you have users falling for the "enter your hotmail address and password" trick while they're browsing some completely unrelated website, and they do exactly what it says, instead of giving them an email address and a password for /this/ website. Now you've got a new nuisance to contend with: You've got to have some alternative option to your initial need available, and you've got to have it with you at the time. So much for nipping down to the library to use their computers to email something, if your phone or password notebook is at home. And a new security flaw to deal with: Steal my phone, try to log in to my mail, and it fails because you don't know my password, click the "I've forgotten my password" link, and the stupid service uses my mobile phone to confirm something, and now you're into my mail. Or, steal my phone and throw it away, and I've been locked out of my mail. Or, for some reason I have to change my phone number, I get locked out of things. Security is flawed. Many security practices have stupid holes in them, many of them have been known about for many years, yet are still being employed (even on new things). And many practices are really annoying to have to deal with. I hate those "enter your mother's maiden name, pet's name," etc., security questions. Much of the time, what they ask is information easily available to other people. There's the personal option about providing bogus information, but you've got to write that down to remember it. And whatever you typed in it the first time around, you have to be able to retype the answer verbatim. -- tim@localhost ~]$ uname -rsvp Linux 3.17.8-200.fc20.i686 #1 SMP Fri Jan 9 00:01:03 UTC 2015 i686 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. George Orwell's '1984' was supposed to be a warning against tyranny, not a set of instructions for supposedly democratic governments. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
