[MlMt] MailMate passed the CASA tier 2 security assessment (hurrah?)

[Steven M. Bellovin]

On 9 Apr 2025, at 11:47, Benny Kjær Nielsen wrote:

> On 9 Apr 2025, at 17:18, Alan Ralph wrote:
>
>> While I kinda-sorta understand why OAuth _might_ be a good thing, from what you've written it sounds like Google is using it primarily for their benefit. It _would_ be mighty convenient if fewer people were using third-party apps to access their Gmail, and opting to access through the browser (ideally Chrome, from Google's viewpoint) or the official Gmail app...
>
> I'm thinking it's a combination of things. Google has probably had more problems with misuse of Google accounts in various ways than anyone else, but I doubt many of those problems have been related to IMAP/SMTP (other than missing 2FA). They had to tighten security for cloud-to-cloud services and then maybe native apps became kind of collateral damage in the process. Now they won't reverse course and instead we have this security theater. Google are the only ones using a “client secret” for OAuth access even though you cannot keep that secret from the user.
>
Worth noting—and I'm a security guy—for many people, their email password is the most valuable one they have, since it's used for password reset on all of their other accounts.


        —Steve Bellovin, https://www.cs.columbia.edu/~smb