From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: gmail+imap+smtp (oauth2) Date: Fri, 06 May 2022 22:34:46 +1000 Message-ID: <87ee16eskb.fsf@gmail.com> References: <871qxbdulc.fsf@mat.ucm.es> <87k0b2tkg1.fsf@mat.ucm.es> <87zgjx4qhs.fsf@gmail.com> <87bkwcgmr3.fsf@mat.ucm.es> <87levfzqj2.fsf@yale.edu> <871qx7scvi.fsf@gmail.com> <87v8ujqec5.fsf@logand.com> <87ee172fjz.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="28297"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.7.13; emacs 28.1.50 Cc: Tomas Hlavaty , "Jorge A. Alfaro-Murillo" , emacs-devel@gnu.org To: Stefan Monnier Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri May 06 14:49:56 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nmxP9-00079X-GB for ged-emacs-devel@m.gmane-mx.org; Fri, 06 May 2022 14:49:55 +0200 Original-Received: from localhost ([::1]:55572 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nmxP8-0004YS-4N for ged-emacs-devel@m.gmane-mx.org; Fri, 06 May 2022 08:49:54 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:48984) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nmxMz-00025Q-SQ for emacs-devel@gnu.org; Fri, 06 May 2022 08:47:43 -0400 Original-Received: from mail-pf1-x431.google.com ([2607:f8b0:4864:20::431]:36513) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nmxMx-0002nm-8k for emacs-devel@gnu.org; Fri, 06 May 2022 08:47:40 -0400 Original-Received: by mail-pf1-x431.google.com with SMTP id 204so3380648pfx.3 for ; Fri, 06 May 2022 05:47:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=references:user-agent:from:to:cc:subject:date:in-reply-to :message-id:mime-version; bh=Uknbtu1f31vDByvL2W6ZsukCmwNypqNlrCz6OWaAGuk=; b=fKr/KTCeEMBTFnmmIcLwxqCwFikRnFlBFVpQ2wYRIol0i4gRTxEW/944bGxCP6xvjU fE2uu66C1w6Jm6EZ/vasK1EIXuhUOsziqFlMC+OaWzEm6iPQWkjsVCy/V45t0mIx13pr mVQjejKIppAx3X3oXAjXPspPP29rnhHf17nfC82a/yQq23O4CrRh4BCHXEzYSg8qxXz6 n5KbF7nNIuCDr/fMeR8A8UyG4vzmQ5Ek/qbCvrW366cyVVtfm0eHbdYFwJVNKBFAieP7 8dz+XH0s9AxLb9DlPPhtEqM60Bdqm9WN3v0r61EscQtGr6zaPp73pBKNq9J1ikd5fPt3 fLbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:references:user-agent:from:to:cc:subject:date :in-reply-to:message-id:mime-version; bh=Uknbtu1f31vDByvL2W6ZsukCmwNypqNlrCz6OWaAGuk=; b=zXYrMI5CpDk0JCnRt+IIvCWxcG9iirT7Gs9y7ojOgFg3YjOjk65295QmOFHQucNPil 5u20Me/7rApwNmeVmclhm18riEYhdF3KU5ZNAtJPlK4oQTthAUQFz7YuereOSr5cO//m POI2stsVg3gs+qRUa1oUFZkCaW0Bp3oatDMLt0sRsVY3W01LHjxhrL6UWLnowJcWKwhK 590Za9NwZiGH4NqhpvNF+Hw25y9+Pub/Wex9Gl7BesHcUlECR85zqlFvk0stqoZQkdjm aAWvb9Cq9xuMr8f2BLe6CI6Oyh6i7aX5iW0xUp0RTyiGIMXSiR+1rgEgattfSVOQfcTf Nqzw== X-Gm-Message-State: AOAM531KhREtAmTgJC9dD+c9ECXm0KCnA1c7iz3lQq7vY5HHF0xBZ2gV 0sndyOoPoFcgdS1TISw/zJxxEs8cmcU= X-Google-Smtp-Source: ABdhPJwHqnv34xNTXscc3cdHLik9hsZpXcMpwbqPrbErG9VlZTKwXks65MeM6zu0VqtsMkC88MkHVA== X-Received: by 2002:a62:5ec6:0:b0:510:71a1:f2f6 with SMTP id s189-20020a625ec6000000b0051071a1f2f6mr3504808pfb.69.1651841256351; Fri, 06 May 2022 05:47:36 -0700 (PDT) Original-Received: from dingbat (220-235-29-41.dyn.iinet.net.au. [220.235.29.41]) by smtp.gmail.com with ESMTPSA id v17-20020a170902e8d100b0015e8d4eb29esm1613082plg.232.2022.05.06.05.47.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 May 2022 05:47:35 -0700 (PDT) In-reply-to: Received-SPF: pass client-ip=2607:f8b0:4864:20::431; envelope-from=theophilusx@gmail.com; helo=mail-pf1-x431.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:289318 Archived-At: Stefan Monnier writes: >> Problem is, Google T&C require that the application ID is kept secret. >> For open source, this is a problem because we cannot add the applicaiton >> ID and keep it secret while making the code open source. > > FWIW, it's also a problem for proprietary applications since the secret > will necessarily be somewhere inside the executable as well. It's a bit > harder to find, and can be obfuscated to some extent, but as long as you > can run the code inside a debugger and you have enough time on your > hands to reverse engineer the workings of that part of the code you can > also extract the application ID. > Yes, that is a flaw. However, requiring the application ID to be kept secret is really the error - it isn't necessary and doesn't improve the security. From what I've read, it was never the intention of the designers of oauth that this value be kept secret. It really exists mainly as an auditing/debugging/troublshooting aid, not part of the authn/authz process. I think this is why some people are trying to get clarification from Google as it is likely their reference to what must be kept secret only includes the applicaiton ID by error/oversight. (I was told this confusion originally occured because of ambiguity in the original oauth documentation, which has subsequently been fixed/clarified). Problem is, most users cannot get past the lower level helpdesk staff or get their issue in front of someone who can actually look at it and do something and even if you could, getting them to care enough to do something is unlikely - the percentage of users impacted is likley just too small compared to other issues they are also dealing with.