[MlMt] MailMate passed the CASA tier 2 security assessment (hurrah?)
Benny Kjær Nielsen
mailinglist at freron.com
Sat Jun 8 14:00:49 EDT 2024
On 8 Jun 2024, at 17:19, Bill Cole wrote:
> On 2024-06-08 at 06:21:14 UTC-0400 (Sat, 08 Jun 2024 12:21:14 +0200)
> Benny Kjær Nielsen <mailmate at lists.freron.com>
> is rumored to have said:
>
> [...]
>> Before going into what this means, I should tell you that I've completed the assessment and MailMate went into the “verified” state a week ago. This should make the MailMate/Gmail combination fairly safe for the next year. To be more precise, the verification expires May 7th 2025.
>>
>> Going forward, I will have to do this every year. This means that every year there is a potential risk of MailMate no longer being able to access Gmail accounts. Google might decide that some feature/language/library used by MailMate is no longer considered safe, or they might come up with some other requirement that I cannot easily satisfy. This is a risk that I somehow need to make sure that users are aware of before buying a license key. I'm still considering how to best solve this problem.
>
> Thank you for doing this tedious yet disturbing task.
Thanks! I'd like to say it wasn't so bad :) This type of task might, in retrospect, not involve much work, but it takes a lot of time to understand what is required and figure out what exactly needs to be done. And then there is the time you wonder about what to do if it's simply not possible (or too expensive) to fulfil the requirements.
> It is a very sad state of affairs that we've reached where service providers feel the need to vet every client application which they will allow to use their authentication systems. It is good that there is an open-ish process/standard (CASA) that hopefully will be common to all providers who demand this sort of thing, but the whole concept remains at odds with traditional core principles of the Internet.
CASA likely makes a lot of sense for web-based applications. Right now it doesn't make much sense for a desktop email application and if it did then I think it would be much better if Apple was involved in the process (checking every release of the app).
And then there's the basic problem of the limitations of OAuth2. Google can block a specific app from access via OAuth2, but such an app can quite easily pretend to be any app which does have access to Gmail (the user would see this during authentication, but the user might not care). That goes both ways. Any app can pretend to be MailMate. If Google really wants to block a user from using a specific app with Gmail then they have to block all (desktop) apps.
--
Benny
More information about the mailmate
mailing list