LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 02-04-2019, 12:11 PM   #1
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 2,682
Blog Entries: 6

Rep: Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367
Another nasty trick from Google


I was browsing around reading up on setting up claws-mail to interact with Gmail. I use it myself (have done for several years) and am thinking of setting it up for a friend.

All the instruction sets advise you to use imap for the download and not pop3. You are advised that Google regard pop3 as insecure and will block it unless you have selected an explicit option to turn on "less secure access". Obviously, a novice is not going to do that!

Nice of Google, isn't it, to care so much about its users' security that it stops them from making silly mistakes. Except that it turns out imap has a great big leak that allows Google to read all your emails in clear from the Drafts folder, even if you encrypt them before sending. Here is the gen.

Far from caring about our security, Google wants to be able to hack our mail and that's why it discourages users from using pop3. Apparently pop3 does not have this hole.

PS: Tails recommends Icedove, which does not have this hole. Now Icedove is simply unbranded Thunderbird. So what does Google think of Thunderbird? Yes, you've guessed it! They specifically warn you against using it because they consider it "insecure".

Last edited by hazel; 02-04-2019 at 12:24 PM. Reason: Added postscript
 
Old 02-04-2019, 12:24 PM   #2
agillator
Member
 
Registered: Aug 2016
Posts: 211

Rep: Reputation: Disabled
Hazel, you apparently trust Google almost as far as I do - about as far as I can throw them. The pop3 insecurity, I think, is a matter of how you connect. If you can use a secure connection then it would be secure in transit. If you cannot use a secure connection . . . . Imap has the problem as you pointed out that it resides on their computers so they ALWAYS have access. I hardly use Google for obvious reasons and use another email provider. So I always use pop3 (except for Google and I may change that) which means I create my emails, encrypt them if I wish, and then send them. Therefore anything I want encrypted is encrypted before the email system ever gets it. I always assume my emails are read by others, its safer that way. Most of my family aren't as paranoid so I just am careful what I say in emails, but then the rest of my family did not work for years in the security environment I did. Appreciate the tip.
 
Old 02-04-2019, 12:33 PM   #3
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 2,682

Original Poster
Blog Entries: 6

Rep: Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367
I use gmail mainly for mailing list traffic. There's nothing secret in those and they're all archived online anyway. My personal mail goes through my ISP's mail servers.

What infuriates me is that Google specifically ban as "insecure" any form of access that prevents them from spying on you.
 
Old 02-04-2019, 12:39 PM   #4
agillator
Member
 
Registered: Aug 2016
Posts: 211

Rep: Reputation: Disabled
Weren't we warned as children about letting the fox guard the hen house?
 
Old 02-04-2019, 12:39 PM   #5
cwizardone
Senior Member
 
Registered: Feb 2007
Distribution: Slackware64-current with "True Multilib" & Xfce.
Posts: 4,465
Blog Entries: 1

Rep: Reputation: 1783Reputation: 1783Reputation: 1783Reputation: 1783Reputation: 1783Reputation: 1783Reputation: 1783Reputation: 1783Reputation: 1783Reputation: 1783Reputation: 1783
I agree with you, but you can still use pop.gmail.com to setup your e-mail in a third party e-mail application such as Thunderbird.
 
Old 02-04-2019, 01:13 PM   #6
michaelk
Moderator
 
Registered: Aug 2002
Posts: 18,104

Rep: Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521
It isn't a nasty trick by Google and the posted link indicates it is a Claws problem.

As far as I know less secure access are for email clients that do not use OAuth2 authentication. Since google uses ssl/tls encryption for both IMAP and POP3, using pop3 isn't a problem any more.

The difference between IMAP and POP3 is that IMAP syncs email between client and server. email in the process of being written can be also saved to the draft folder which might be automatically synced to the server if using IMAP. The link does have some workarounds and switching to POP3 is an option if your friend only uses email from one device.

Typical of software authors is that they think they know what the user wants better then they do. As stated using another email client if possible would probably be best solution.

Last edited by michaelk; 02-04-2019 at 06:22 PM.
 
Old 02-04-2019, 01:20 PM   #7
Trihexagonal
Member
 
Registered: Jul 2017
Location: Land of 1000 Nights
Distribution: FreeBSD, OpenBSD and Solaris
Posts: 185

Rep: Reputation: 159Reputation: 159
I have a google account so I can make use of their webmaster tools but never do a search when logged in or use the gmail box associated with it.

I rarely ever use email for anything but registration or thread updates and a box from my domain for that so I can redirect mail or delete the box if need be. I prefer offshore accounts for everything else.
 
Old 02-04-2019, 08:32 PM   #8
Myk267
Member
 
Registered: Apr 2012
Location: California
Posts: 416
Blog Entries: 15

Rep: Reputation: Disabled
Quote:
2015-05-07
So, an old bug.
 
Old 02-04-2019, 09:40 PM   #9
michaelk
Moderator
 
Registered: Aug 2002
Posts: 18,104

Rep: Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521
Good point. It does look the bug was eventually fixed.
 
Old 02-04-2019, 11:53 PM   #10
HussarHussar
LQ Newbie
 
Registered: Feb 2019
Posts: 0

Rep: Reputation: Disabled
You make a good point that isn't brought up enough about email scanning. It does happen at a ridiculous level and I've had a long issue personally experiencing the effects of this. You should consider looking at protonmail.com and the new Librem 5.
 
Old 02-05-2019, 06:12 AM   #11
Pastychomper
Member
 
Registered: Sep 2011
Location: Scotland
Distribution: Android
Posts: 104

Rep: Reputation: 140Reputation: 140
I also take the view that email is not secure, but still use it for some things. I use Gmail via IMAP and every few months Google sends me a "warning" that I'm using an "insecure" setting and should turn it off. If I obey, I lose IMAP access from any non-Google-approved client.

When I looked into it last year, Google would indeed accept any client that used OAuth2 (iirc), but by an amazing coincidence the only mail client I could find for Android that used it was their own app. I used it for a while but it never worked reliably with another mail account, which is an old spam-trap provided by Hotmail. How strange that 'embrace,extend,extinguish' Microsoft and 'don't be too evil' Google would have trouble communicating over a standard protocol.

Slightly less often Google gives me a scary-looking pop-up on my one Android device, telling me that someone else has tried to access my account using my password, but they detected that it wasn't me and blocked the access. From the timing it looks very likely that the "insecure" access attempt is actually one of the regular polls by the mail program I have running most days. I don't know what tips the balance to attract the extra warning, maybe something unusual done by my ISP, or just possibly an algorithm involving a cup and a pair of dice.

Last edited by Pastychomper; 02-05-2019 at 07:08 AM. Reason: tyop
 
Old 02-05-2019, 06:44 AM   #12
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 2,809

Rep: Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166Reputation: 1166
I was an email server admin for several years. That was not my main job, but something I could do that NO one else wanted. Trust that I know what I am talking about when I say: NO email is secure. EVER!

Once you send email, you have no control over what servers it passes through, what is done to it, who can scrape or read it, or where it ends. End to end encryption helps a lot, but even that is not a sure thing. In the best case it is not dependable, in the worst case it can be faked, read, leveraged, redirected, or blocked without notice.

That is the nature of the email beast, and not the fault of Google, Facebook, Microsoft, or any company you can name.
 
Old 02-05-2019, 06:57 AM   #13
hazel
Senior Member
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 2,682

Original Poster
Blog Entries: 6

Rep: Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367Reputation: 1367
Quote:
Originally Posted by cwizardone View Post
I agree with you, but you can still use pop.gmail.com to setup your e-mail in a third party e-mail application such as Thunderbird.
That's not as simple as it sounds. They've made it much harder since I set up my email a few years ago. Under the new rules, you can set up pop3 access but when you try to use it, your password won't be accepted if you are using a non-approved application. They specifically name Thunderbird as non-approved by the way. https://support.google.com/accounts/answer/6010255

To get in nowadays, you must either use 2-factor authentication (if your application supports it) or switch off a specific security option in your Google account, which of course triggers all kinds of apocalyptic warnings that are guaranteed to scare off the average non-technical user.

@pastychomper: I get those warnings too. They don't like you using pop3.

Last edited by hazel; 02-05-2019 at 07:21 AM. Reason: Added link
 
Old 02-05-2019, 07:11 AM   #14
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,688
Blog Entries: 3

Rep: Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651
Their implementation of IMAP is already broken. If Google is able to eliminate IMAP and POP support then given the size of their market share they can basically capture e-mail as a technology and take it proprietary. That's the direction they seem to be heading for a while and there's no single major competitor in the mail space. There are a lot of smaller ones still but while it's not that hard setting up your own mail service it is almost impossible to get approved for correspondence with GMail users, including those that outsource mail to Google.

SMTP + IMAP/POP need very badly to be replaced but that is not the way to go about it, open standards are needed. Othrewise we'll continue to dig down into incompatible, balkanized, proprietary e-mail like we had with networking prior to the Internet.
 
Old 02-05-2019, 10:15 AM   #15
newbiesforever
Senior Member
 
Registered: Apr 2006
Distribution: MX (desktop: XFCE 4)
Posts: 2,133

Rep: Reputation: 77
Knowing such things is why I recently made a Protonmail account, having found out the basic service is free.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Microsoft accused of Windows 10 upgrade 'nasty trick' beachboy2 General 5 05-27-2016 03:57 PM
[SOLVED] How do I trick the Google Voice site into thinking I am in the USA, not Canada? Robert.Thompson Linux - Newbie 1 10-04-2011 03:34 PM
LXer: Google misses Russian trick with Opera snubs LXer Syndicated Linux News 0 05-11-2011 09:41 AM
vim :gui trick and undo-trick dazdaz Linux - Software 3 09-10-2007 03:45 PM
LXer: Another Google App., Another Google Yawn LXer Syndicated Linux News 0 06-07-2006 03:21 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 10:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration