edbrowse-dev - development list for edbrowse
 help / color / mirror / Atom feed
* [edbrowse-dev] Two Factor
@ 2018-07-21  1:28 Karl Dahlke
  2018-07-21  1:55 ` Dominique Martinet
  0 siblings, 1 reply; 4+ messages in thread
From: Karl Dahlke @ 2018-07-21  1:28 UTC (permalink / raw)
  To: edbrowse-dev

[-- Attachment #1: Type: text/plain, Size: 707 bytes --]

Chuck mentioned, off the group, that you can't access gmail through imap or pop3 unless you check a "allow less secure applications" button, and I have also experienced this.
And when I wanted to tap into my daughter's gmail by email, she too had to enable this "less secure apps" feature.
There are rumors that A) this option might go away, whence edbrowse access to gmail would go away, and
B) it relates to two-factor.
Without me doing a lot of research, can anyone explaain two-factor, and does curl support it, whence edbrowse could remain viable for gmail and other paranoid servers?
I'm guessing it's out of our hands; either curl supports it or it does not; but that's a guess.

Karl Dahlke

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [edbrowse-dev] Two Factor
  2018-07-21  1:28 [edbrowse-dev] Two Factor Karl Dahlke
@ 2018-07-21  1:55 ` Dominique Martinet
  2018-07-21  3:24   ` Karl Dahlke
  0 siblings, 1 reply; 4+ messages in thread
From: Dominique Martinet @ 2018-07-21  1:55 UTC (permalink / raw)
  To: Karl Dahlke; +Cc: edbrowse-dev

Karl Dahlke wrote on Fri, Jul 20, 2018:
> Chuck mentioned, off the group, that you can't access gmail through imap or pop3 unless you check a "allow less secure applications" button, and I have also experienced this.
> And when I wanted to tap into my daughter's gmail by email, she too had to enable this "less secure apps" feature.
> There are rumors that A) this option might go away, whence edbrowse access to gmail would go away, and
> B) it relates to two-factor.
> Without me doing a lot of research, can anyone explaain two-factor, and does curl support it, whence edbrowse could remain viable for gmail and other paranoid servers?
> I'm guessing it's out of our hands; either curl supports it or it does not; but that's a guess.

"two factor" in itself is easy and should work with edbrowse - the point
is that to log in to your gmail account on the web interface, you need
to enter your password, then the next page will ask you to enter the
text message you received (they also do voice call or "security keys"
like yubikey, the keys might not be trivial to get to work, but phone
call works) in the next prompt

For imap/smtp there apparently is an "application-specific" password
just like fastmail is doing, once you've logged in with 2-factor they'll
let you create new passwords on this page:
https://myaccount.google.com/apppasswords 


Now... while logging in with 2-factor enabled works, I couldn't get the
actual enabling from gmail, and similarily the app passwords page
doesn't load either. I just get a "Your browser is not supported
anymore. Please update to a more recent one."...

So, a bit of a mixed feeling there. Just like fastmail if you can get
someone to help or if you use a screen reader with firefox for initial
setup you should be ok afterwards, but edbrowse isn't going to be
independant anymore :/

-- 
Dominique

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [edbrowse-dev] Two Factor
  2018-07-21  1:55 ` Dominique Martinet
@ 2018-07-21  3:24   ` Karl Dahlke
  2018-07-21  3:38     ` Dominique Martinet
  0 siblings, 1 reply; 4+ messages in thread
From: Karl Dahlke @ 2018-07-21  3:24 UTC (permalink / raw)
  To: edbrowse-dev

[-- Attachment #1: Type: text/plain, Size: 268 bytes --]

Ok, so somehow you've made a separate imap password, how the hell is that any more secure than the password you use for your account?
Either way an email client is sending over a password. It's just a password.
This looks like bogus bull shit to me.

Karl Dahlke

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [edbrowse-dev] Two Factor
  2018-07-21  3:24   ` Karl Dahlke
@ 2018-07-21  3:38     ` Dominique Martinet
  0 siblings, 0 replies; 4+ messages in thread
From: Dominique Martinet @ 2018-07-21  3:38 UTC (permalink / raw)
  To: Karl Dahlke; +Cc: edbrowse-dev

Karl Dahlke wrote on Fri, Jul 20, 2018:
> Ok, so somehow you've made a separate imap password, how the hell is that any more secure than the password you use for your account?
> Either way an email client is sending over a password. It's just a password.
> This looks like bogus bull shit to me.

It's a bit bull shit, but the advantage is that you can (should?) have
one separate password for each computer / phone / campfire (for mail
over smoke signal!); so that if your phone gets stolen you can disable
that phone's password and create a new one.

Also, the generated password will be more complicated than "passw0rd"
(harder to guess than what most people would pick naturally) and doesn't
give access to the main web account, so when adding these three points
up it's arguably better on the grand scale - so that the password that's
very often stored in plain text in a config file like our .ebrc will
only give access to mails and not to google calendar or whatever it is
people do with their gmail account.


Can't say I can relate much to any of the arguments I just gave here,
but I can understand that they would encourage people to do this.
Now if they disable the old method though I'm not sure what we should do
though, probably will have to spend a bit of time figuring why it thinks
our browser is not supported...

-- 
Dominique

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-07-21  3:39 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-21  1:28 [edbrowse-dev] Two Factor Karl Dahlke
2018-07-21  1:55 ` Dominique Martinet
2018-07-21  3:24   ` Karl Dahlke
2018-07-21  3:38     ` Dominique Martinet

edbrowse-dev - development list for edbrowse

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/edbrowse-dev

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 edbrowse-dev edbrowse-dev/ http://inbox.vuxu.org/edbrowse-dev \
		edbrowse-dev@edbrowse.org
	public-inbox-index edbrowse-dev

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.edbrowse.dev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git