Gmail blocks "less secure apps"

Discussion in 'other security issues & news' started by Bellzemos, Aug 13, 2014.

  1. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    40
    Hello!

    Yesterday I tried setting up MS Outlook with Gmail through IMAP and couldn't - because Gmail now blocks "less secure apps". There's an option to enable the less secure apps. Would I still be safe it I enabled that?

    Any comment would be much appreciated.
     
  2. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    40
    PS: I've decided I'd like to use a simple Gmail Notifier (http://www.gmailnotifier.com/) instead of MS Outlook, Outlook is an overkill for my needs. But, would I be safe using the Gmail Notifier? I still have to set the IMAP and enabe less secure apps in the Google account.

    Thank you.
     
  3. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    40
    Would anyone care to reply please? :)
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
  5. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    40
    Thank you, I've read that before though. I'd like to know if I'm really less safe by enabling "less sage apps" to access my Gmail account. Any comment on that?
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
  7. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    There are a number of ways an email client can authenticate to an email server. Google is: 1) actively discouraging what's known as Basic Authentication, and possibly some other less basic methods from the sound of it, while 2) actively encouraging the use of OAuth2.

    There are some issues with Basic Authentication, at least the way it is normally implemented. The client stores, and passes to the server, plain user/pass info. All client applications and devices use the same credentials each time they have to authenticate. Often, servers don't implement robust (and user tunable) methods of gating clients based on IP Address and/or other means. Often, substantially different types of services are accessed through the same set of credentials, which means a compromise in one area (such as email) can affect something else (such as general purpose file storage). OAuth is one of the approaches that is meant to address some of these issues. Some general reading about Basic Authentication vs OAuth and alternatives may help you get your bearings. Some specific searches for related discussions on email protocols and contexts would be the next step.

    I don't use Google services, but something I read suggested that users who don't want to change to email clients that support OAuth (I'm not sure which ones do, I suspect such support remains uncommon in the "desktop" space at least) may have two options. One, simply enabling "less secure apps" which will allow Basic Authentication and all clients would use the same password. Two, setting up application specific passwords, which sounded to me like a variant of Basic Authentication whereby one or more email clients could be configured to use their own password (and, importantly, one that is different than the one you would use to login to manage your Google account). Maybe someone could confirm and/or provide more detail on this latter option.
     
  8. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    40
    I see, thank you for your input. Do you think that for an absolutely clean system (no malware at all) is it OK to use the less secure apps enabled settings? I won't hold anyone for his/her word, I'd just like to hear the opinions (real world). My computer is clean and I'm thinking of allowing the less secure apps, meaning I'll use Gmail Notifier to access my emails.
     
  9. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    I think it reasonable to be open to enabling "allow less secure apps". If you do enable it, I believe you'd essentially revert to an authentication scenario that has been extremely common for ages and which huge numbers of people have used without issue. On the other hand, it is important to try to understand... for ourselves... where the weak points are and make adjustments that improve our security.

    When using basic/traditional authentication mechanisms I think it is somewhat more important that:

    - The client platform and client applications (email software, password database, ...) must be secure
    - Each and every connection over which you pass credentials must be secure
    - Credential sharing, with applications [on other devices] and/or humans, be kept to an absolute minimum
    - One keep a close eye on their account, and where applicable logs, for signs of unauthorized access
    - You use separate accounts [with separate providers] to compartmentalize things
    - Periodically prune what is stored on Internet accessible servers to reduce the amount of historical data that could become available through a single compromise

    Regarding application specific passwords, I found this:

    https://support.google.com/mail/answer/1173270?hl=en

    I would explore that route first. If you can compartmentalize access to things, and especially if you can setup one password for limited access (email) while having another password for fuller access (via browser), that would be better than allowing the same password to be used in all contexts. I just don't know precisely how Google has implemented the feature, and don't have a Google account to play around with.
     
  10. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    40
    Thank you for explaining me all this. If I allow less secure apps my browser log-in to Gmail is still secure just the same - or not? The setting means only allowing other apps but the browser login is still on the exact same level regarding security (OAuth2)? That's how I understand it and if that's so then I'm pleased.

    The only less secure app I'm planning to use is this:
    http://www.gmailnotifier.com/

    And this will only notify me of now emails, set through IMAP and I'll be able to read them in that program. If I set an application specific password just for that particular program I think I'll be secure. The only thing I'm not sure about is if there's a chance for something to "escape" from this notifier into my system (malware attachment and the like) and how safe is this whole thing.

    I wouldn't be even asking about it here but it seems so practical as I have 4 Gmail addresses and this app displays new mails immediatelly from all four. But I am concerned about the safety, so that's why I'm asking.

    Again, thank you for help!
     
  11. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    @Bellzemos
    The GHacks article says that the problem you have arises only if you don't have 2-factor authentication disabled. Why not enable it and use an app specific password and solve the problem this way?
     
  12. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Is there a path to application-specific passwords that doesn't involve sharing a phone number with google or running any of its apps/applications on a client? I don't know what Bellzemos's preferences are, but some would prefer not to have to do those things. Which might even make sense and be consistent, if they don't use Gmail for personally identifiable communications.
     
  13. mbeiley2011

    mbeiley2011 Registered Member

    Joined:
    Sep 26, 2011
    Posts:
    4
Loading...