Security → "Why does Google Say Mozilla Thunderbird is Less Secure?"

»www.howtogeek.com/206534 ··· -secure/ from »www.linuxtoday.com/secur ··· ure.html

"Sometimes when you are looking for an answer to one thing, you end up finding something else rather surprising. Case in point, Google’s statement that Mozilla Thunderbird is less secure, but why do they say that? Today’s SuperUser Q&A post has the answer to a confused reader’s question..."

Interesting. I use SeaMonkey's e-mail feature that is based on Thunderbird.

From what I can tell it only applies if you use two-factor authentication with Google.

I understand the articles to say that Google will start forcing secure authentication which means Thunderbird can no longer be used. TB does plain text password. Google, as usual, is being two faced and hyping something that is not necessary to hype. The user is not safe from Google's prying eyes nor is anyone who ever, even once, communicates with someone who has G mail.

My ISP does not offer secure email and that is fine with me. I do nothing of importance on email. I don't use G mail and refuse to communicate with anyone who does. So, Google's silly stand doesn't matter to me. But I sure hope TB does not drop plaintext authentication because of Google. I no longer use anything that requires two step authentication. It is extremely cumbersome, SLOW and irritating especially if you use a landline.

What are you talking about?

So, your ISP allows encrypted passwords. Mine doesn't. But whatever, Gmail cannot be used with TB once Google begins enforcing two step authentication. Google is so two faced it's pitiful.

On the SeaMonkey end, Bug 1096894 - Google Mail includes SeaMonkey Mail among "less secure apps".

How about other mail services?
I've used Claws mail.
Linux also has Sylpheed.
We used Squirrelmail at work.

Tbird shows the same as Makey's. There isn't any room for 2 factor if that's what Google wants. Most entry spaces have only one line.

Some of us just don't use gmail, which solves the problem neatly.

There are always choices to be made. Google can impose whatever restrictions they like, it's their service, but sometimes people go too far and the choice goes against the bully.

Unfortunately an organization I belong to uses Gmail and I'm the email list admin.

I do use Gmail from within a walled VM (virtual machine) that contains no personal data. Of course Google gets my IP

As usual, she has no idea. Google is not going to force two-factor for all of its services. Those using GMail can continue using any client they like.

Also, why does she even care? She doesn't use GMail.

quote:

---

There isn't any room for 2 factor if that's what Google wants. Most entry spaces have only one line.

---

Two-factor authentication doesn't require a separate field. In the usual RSA Keyfob implementation, the number shown by the keyfob is simply appended to the password. If your password is p4s5W0rd, you'd press the button to get a code and append it to the end: p4s5W0rd788962.

i currently use gmail with 2FA enabled and it works fine with thunderbird. You can create 'app specific passwords' in gmail for use with apps which don't natively support 2FA

Why would anyone use Gmail when there's email@dslr.net

Is it secured? :P

Even just once? How does Google keep tracking a one-off communication?

Perhaps you can show me how Google can track me permanently from this email?

Return-Path: <**********@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on d.spam.sonic.net
X-Spam-Level: 
X-Spam-Status: No, score=-3.5 required=5.0 tests=DCC_REPUT_13_19,DKIM_SIGNED,
    DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,
    RCVD_IN_MSPIKE_WL,SNF4SA,SONIC_FRIEND autolearn=disabled version=3.4.0
X-Spam-SNF-Result: 0 (Standard White Rules)
X-Spam-MessageSniffer-Scan-Result: 
X-Spam-MessageSniffer-Rules: 
    0-0-0-2424-c
X-Spam-GBUdb-Analysis:  0, 69.12.221.245, Ugly c=1 p=-0.648941 Source Normal
Received: from m.mx.sonic.net (a.spam-proxy.sonic.net [69.12.221.245])
    by d.spam.sonic.net (8.14.4/8.14.4) with ESMTP id t063U7AE019975
    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
    for <**********@lds.sonic.net>; Mon, 5 Jan 2015 19:30:07 -0800
Received: from mail-pa0-f46.google.com (mail-pa0-f46.google.com [209.85.220.46])
    by m.mx.sonic.net (8.14.9/8.14.9) with ESMTP id t063U5YR002340
    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
    for <**********@aosake.net>; Mon, 5 Jan 2015 19:30:06 -0800
Received: by mail-pa0-f46.google.com with SMTP id lf10so29958477pab.19
    for <**********@aosake.net>; Mon, 05 Jan 2015 19:30:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=gmail.com; s=20120113;
    h=message-id:date:from:user-agent:mime-version:to:subject
    :content-type:content-transfer-encoding;
    bh=hTOj1PEIVEgLAoGeR6qN1ciNtXPUY9UEqfvO9LCTCzQ=;
    b=pbh0wKM8kRWQtBUS/CfPshNkttLuiSdvOEUYWRXZIm5nYKqOfhkn0gQXYxw4YBUDCu
    jfM59CpueEbl3iibtwKiy6oYYQENIykofBQ1ex2hj2uHvQGhKCg61f/1cp2npHqWASI1
    LLPasaOWMuZsIwWCsl5BSZ44z3sSXiDNEx0vPURj3ZJguFjEX2yWLrz0NiBYajphFQ1U
    uQ/+Q+UxWMh7RoiSUBaD8brOe2iH4TMPInYfU/Y5gT93/gHKaCWDv5u12wYNaUllM5mj
    ULeOPtFAJsUm7PUuhzLPq8evLjQGKA84zT4qu8d865apBS6HcfCC19rrQGEz+SECbE4n
    pShA==
X-Received: by 10.70.90.226 with SMTP id bz2mr151654806pdb.157.1420515005371;
    Mon, 05 Jan 2015 19:30:05 -0800 (PST)
Received: from kozue.aosake.net (9026-355e-daac-768e-09d7-04ed-a420-2062.6rd.ip6.sonic.net. [2602:24a:de40:7d90:e867:caad:e553:6209])
    by mx.google.com with ESMTPSA id lq2sm11592866pab.34.2015.01.05.19.30.03
    for <**********@aosake.net>
    (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
    Mon, 05 Jan 2015 19:30:04 -0800 (PST)
Message-ID: <54AB563A.6010809@kozue.gmail.com>
Date: Mon, 05 Jan 2015 19:27:54 -0800
From: "NormanS" <**********@gmail.com>
Organization: PDR
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: **********@aosake.net
Subject: [TEST] Track me?
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Orthrus: tar=0 grey=no co=US os=Linux/2.2.x-3.x/3 spf=pass dkim=pass
 
How?
 
 

How can you do that from Gmail's settings?

Go to account settings.
From within Gmail, click your name top right corner, then account.
Then scroll down to 2 step verification.
2nd tab on top: app specific passwords
At the bottom click "manage app specific passwords"
Set it up from there

I am sure that thunderbird will get OAUTH2.0 support eventually.

GuruGuy,

Thanks for your specific instructions. Following what you said, I was able to set up 2-factor authentication & also "manage app. specific passwords". But, the instructions said that to use 2-factor authentication from my phone, I'd need to use a password one time which Gmail provided (which was made up of all lower-case alphabetic characters) instead of my usual password. Shouldn't the new password be used in addition to my regular password in order for 2-factor auth. to take place?

Both TB & my phone said that they weren't able to access Gmail & that I had to re-enter my password. But, since I apparently needed to replace my old one with Gmail's new, weak one, I didn't see the benefit of doing that. Is there anything else I could have done to keep my original passwords & then add the 2nd one as well?

The two factor one replaces the original password. It is not used with the existing one. The phone doesn't have the ability to use two passwords, thus the use of the new one. The benefit is that the new password will only work with that one device and can't be used anywhere else or with any other device.

Thanks for your answer. If the new password will only work with that one device, will the original password still work on other devices? Also, if someone wants 2FA on all devices, will a separate new password have to be set up for each of them or isn't that possible?

Once enabled, you have to setup a password for each device or email client that needs access. Essentially, every device/client will have it's own password. If one is compromised, you can login to the gmail settings and disable that device/client.

If the only benefit of this type of 2FA is that you can disable the device if it's stolen, would there be any benefit of using it for non-portable devices/systems like PCs? It seems that the negatives of a weak password (like the one which Gmail generated for me) would outweigh the exceedingly unlikely risk of a PC, or a HD in a PC, being stolen. Also, are the passwords which you've had generated by Gmail for your portable devices also made up of all lowercase letters?

It has its risks... and even google points these out (they give notice that your account could be hijacked using that password each time you create one)... and remember the article that started this thread is google saying just that.

Many of us users have wanted them to allow us to specify the password or at least the complexity of it.

The connection attempts are presumably being monitored by the goog just like all of their logins are, so any attacks would trigger suspicious activity and alert you if you have that enabled... but there is no clear FAQ or answer about how it is dealt with. Letting us use complex passwords would go a long way, but they have opted for the "usability" method, putting their trust in the security.

I never create app passwords for my important google accounts (accounts that control other services), not with 16 character all lower case.

Security and privacy are not the same thing. A browser can be more secure and yet leak every drop of personal information that does not for example lead to identity theft. EG it does not give up your social security number but does report what sites you frequent and what your most common search terms are. Chrome can be a thousand times more secure and a thousand times less private at the same time. Also how exploitable a browser is etc.

Good points about how security & privacy can diverge.