[MlMt] MailMate passed the CASA tier 2 security assessment (hurrah?)

[Benny Kjær Nielsen]

On 9 Apr 2025, at 17:18, Alan Ralph wrote:

> While I kinda-sorta understand why OAuth _might_ be a good thing, from 
> what you've written it sounds like Google is using it primarily for 
> their benefit. It _would_ be mighty convenient if fewer people were 
> using third-party apps to access their Gmail, and opting to access 
> through the browser (ideally Chrome, from Google's viewpoint) or the 
> official Gmail app...

I'm thinking it's a combination of things. Google has probably had more 
problems with misuse of Google accounts in various ways than anyone 
else, but I doubt many of those problems have been related to IMAP/SMTP 
(other than missing 2FA). They had to tighten security for 
cloud-to-cloud services and then maybe native apps became kind of 
collateral damage in the process. Now they won't reverse course and 
instead we have this security theater. Google are the only ones using a 
“client secret” for OAuth access even though you cannot keep that 
secret from the user.

> I wish I wasn't so cynical about this, but then Google has shown its 
> hand more than enough times in the past that I keep my (now limited) 
> use of their services as arms-length and brief as possible. (My 
> thoughts on Google Drive probably aren't repeatable in polite 
> company.) I just checked my Google Account page, and had to resort to 
> Help to find the app passwords page, so it definitely gives credence 
> to Google pushing folks towards OAuth and away from third-party apps & 
> services.

Yes, I found a description of where it was supposed to be in their 
settings, but it wasn't there. Only the direct link works for me. For a 
long time, I did not think this was possible at all.

-- 
Benny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20250409/31707d8c/attachment.htm>