I was browsing around reading up on setting up claws-mail to interact with Gmail. I use it myself (have done for several years) and am thinking of setting it up for a friend.

All the instruction sets advise you to use imap for the download and not pop3. You are advised that Google regard pop3 as insecure and will block it unless you have selected an explicit option to turn on "less secure access". Obviously, a novice is not going to do that!

Nice of Google, isn't it, to care so much about its users' security that it stops them from making silly mistakes. Except that it turns out imap has a great big leak that allows Google to read all your emails in clear from the Drafts folder, even if you encrypt them before sending. Here is the gen.

Far from caring about our security, Google wants to be able to hack our mail and that's why it discourages users from using pop3. Apparently pop3 does not have this hole.

PS: Tails recommends Icedove, which does not have this hole. Now Icedove is simply unbranded Thunderbird. So what does Google think of Thunderbird? Yes, you've guessed it! They specifically warn you against using it because they consider it "insecure".

Hazel, you apparently trust Google almost as far as I do - about as far as I can throw them. The pop3 insecurity, I think, is a matter of how you connect. If you can use a secure connection then it would be secure in transit. If you cannot use a secure connection . . . . Imap has the problem as you pointed out that it resides on their computers so they ALWAYS have access. I hardly use Google for obvious reasons and use another email provider. So I always use pop3 (except for Google and I may change that) which means I create my emails, encrypt them if I wish, and then send them. Therefore anything I want encrypted is encrypted before the email system ever gets it. I always assume my emails are read by others, its safer that way. Most of my family aren't as paranoid so I just am careful what I say in emails, but then the rest of my family did not work for years in the security environment I did. Appreciate the tip.

I use gmail mainly for mailing list traffic. There's nothing secret in those and they're all archived online anyway. My personal mail goes through my ISP's mail servers.

What infuriates me is that Google specifically ban as "insecure" any form of access that prevents them from spying on you.

Weren't we warned as children about letting the fox guard the hen house?

I agree with you, but you can still use pop.gmail.com to setup your e-mail in a third party e-mail application such as Thunderbird.

It isn't a nasty trick by Google and the posted link indicates it is a Claws problem.

As far as I know less secure access are for email clients that do not use OAuth2 authentication. Since google uses ssl/tls encryption for both IMAP and POP3, using pop3 isn't a problem any more.

The difference between IMAP and POP3 is that IMAP syncs email between client and server. email in the process of being written can be also saved to the draft folder which might be automatically synced to the server if using IMAP. The link does have some workarounds and switching to POP3 is an option if your friend only uses email from one device.

Typical of software authors is that they think they know what the user wants better then they do. As stated using another email client if possible would probably be best solution.

I have a google account so I can make use of their webmaster tools but never do a search when logged in or use the gmail box associated with it.

I rarely ever use email for anything but registration or thread updates and a box from my domain for that so I can redirect mail or delete the box if need be. I prefer offshore accounts for everything else.

So, an old bug.

Good point. It does look the bug was eventually fixed.

You make a good point that isn't brought up enough about email scanning. It does happen at a ridiculous level and I've had a long issue personally experiencing the effects of this. You should consider looking at protonmail.com and the new Librem 5.

I also take the view that email is not secure, but still use it for some things. I use Gmail via IMAP and every few months Google sends me a "warning" that I'm using an "insecure" setting and should turn it off. If I obey, I lose IMAP access from any non-Google-approved client.

When I looked into it last year, Google would indeed accept any client that used OAuth2 (iirc), but by an amazing coincidence the only mail client I could find for Android that used it was their own app. I used it for a while but it never worked reliably with another mail account, which is an old spam-trap provided by Hotmail. How strange that 'embrace,extend,extinguish' Microsoft and 'don't be too evil' Google would have trouble communicating over a standard protocol.

Slightly less often Google gives me a scary-looking pop-up on my one Android device, telling me that someone else has tried to access my account using my password, but they detected that it wasn't me and blocked the access. From the timing it looks very likely that the "insecure" access attempt is actually one of the regular polls by the mail program I have running most days. I don't know what tips the balance to attract the extra warning, maybe something unusual done by my ISP, or just possibly an algorithm involving a cup and a pair of dice.

I was an email server admin for several years. That was not my main job, but something I could do that NO one else wanted. Trust that I know what I am talking about when I say: NO email is secure. EVER!

Once you send email, you have no control over what servers it passes through, what is done to it, who can scrape or read it, or where it ends. End to end encryption helps a lot, but even that is not a sure thing. In the best case it is not dependable, in the worst case it can be faked, read, leveraged, redirected, or blocked without notice.

That is the nature of the email beast, and not the fault of Google, Facebook, Microsoft, or any company you can name.

That's not as simple as it sounds. They've made it much harder since I set up my email a few years ago. Under the new rules, you can set up pop3 access but when you try to use it, your password won't be accepted if you are using a non-approved application. They specifically name Thunderbird as non-approved by the way. https://support.google.com/accounts/answer/6010255

To get in nowadays, you must either use 2-factor authentication (if your application supports it) or switch off a specific security option in your Google account, which of course triggers all kinds of apocalyptic warnings that are guaranteed to scare off the average non-technical user.

@pastychomper: I get those warnings too. They don't like you using pop3.

Their implementation of IMAP is already broken. If Google is able to eliminate IMAP and POP support then given the size of their market share they can basically capture e-mail as a technology and take it proprietary. That's the direction they seem to be heading for a while and there's no single major competitor in the mail space. There are a lot of smaller ones still but while it's not that hard setting up your own mail service it is almost impossible to get approved for correspondence with GMail users, including those that outsource mail to Google.

SMTP + IMAP/POP need very badly to be replaced but that is not the way to go about it, open standards are needed. Othrewise we'll continue to dig down into incompatible, balkanized, proprietary e-mail like we had with networking prior to the Internet.

Knowing such things is why I recently made a Protonmail account, having found out the basic service is free.