From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: gmail+imap+smtp (oauth2) Date: Fri, 06 May 2022 22:34:46 +1000 Message-ID: <87h762esku.fsf@gmail.com> References: <871qxbdulc.fsf@mat.ucm.es> <87k0b2tkg1.fsf@mat.ucm.es> <87zgjx4qhs.fsf@gmail.com> <87bkwcgmr3.fsf@mat.ucm.es> <87levfzqj2.fsf@yale.edu> <871qx7scvi.fsf@gmail.com> <87v8ujqec5.fsf@logand.com> <87ee172fjz.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="26823"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.7.13; emacs 28.1.50 Cc: Tomas Hlavaty , "Jorge A. Alfaro-Murillo" , emacs-devel@gnu.org To: Stefan Monnier Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri May 06 14:49:36 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nmxOq-0006kW-RF for ged-emacs-devel@m.gmane-mx.org; Fri, 06 May 2022 14:49:36 +0200 Original-Received: from localhost ([::1]:55052 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nmxOo-0004BA-9L for ged-emacs-devel@m.gmane-mx.org; Fri, 06 May 2022 08:49:34 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:48886) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nmxMf-0001dt-4z for emacs-devel@gnu.org; Fri, 06 May 2022 08:47:21 -0400 Original-Received: from mail-pg1-x52e.google.com ([2607:f8b0:4864:20::52e]:34468) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nmxMd-0002kw-G5 for emacs-devel@gnu.org; Fri, 06 May 2022 08:47:20 -0400 Original-Received: by mail-pg1-x52e.google.com with SMTP id g184so3534107pgc.1 for ; Fri, 06 May 2022 05:47:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=references:user-agent:from:to:cc:subject:date:in-reply-to :message-id:mime-version; bh=Uknbtu1f31vDByvL2W6ZsukCmwNypqNlrCz6OWaAGuk=; b=GirwC+flOZXfLfB9lLVZXRDOrvI6sAlZSRo9OqmDapdQvTZTZjt0f+v+oD6v4HwIXg MEIowN93jIP2Ss73efDAjOhdqWhlb+mFDrCFvqj6MnzDDqxfhZgx0hk2WEmOJY84JG4Z s0lptWe/vP0J1DtS5RoBMlBAfgzE3DFZBFHJXpQqbPo+GBvhQJrO6pc2OU/Why9Ac/Pl 6Y4zWL1BzA0d5G8wP+CnEA9yrQKbxj0tf5yX3I6xRSH/Yj6WRKf6rH09PKRpl6+ZbqG+ q2uXYzCda8wYCq0jU6fmJJmOKhLv34z2Klj2ZLxdoiGx5qPbkZfag+LKdbYZs9aFTj1/ TMgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:references:user-agent:from:to:cc:subject:date :in-reply-to:message-id:mime-version; bh=Uknbtu1f31vDByvL2W6ZsukCmwNypqNlrCz6OWaAGuk=; b=gWKFZZdLdiYNqvrafYi5c9UZpoalbsvcmRGib5/9lPClQYc//quXiTWgkWSy71SeZF tYS7ipwEENEfT7I7Olj908asKkXfJtwfsHN9VYVkRmdvVJmOKHjqM73kxoREA2vOCWpI boOF4fKktlbxWav6nwP+QQJHA+sdLYbxI44dCAo+PzdgtC91b4lcalW8jsa4VWK8b6Tg 9LRtkI58+EzmpfVQxQs2OHA6MGbW+MWxkG7QbXj+li6XfpUN5gSpLQU03LfwfNdG7mJr OfF363gC50+RqdKY1A1tCog79FMm/Z10oSStone5LwD09ygNjgNV4BY+NrODnEBNeIeV hoqw== X-Gm-Message-State: AOAM532w6w4FhtOly7Ux2Ake95kVD+g3IAg02Jzb4EcwHZYgd+mzdvy3 o8mgdHXyyTm1q6fZQROOyHK5M1G+Jq8= X-Google-Smtp-Source: ABdhPJxtGlAhp22lxes2GydaFgWFH/2KX93851uWPgYZlOo3iZFOs4I0HTuwW6JZHvP9IjhKQ9li0Q== X-Received: by 2002:a63:e147:0:b0:39c:d177:c01f with SMTP id h7-20020a63e147000000b0039cd177c01fmr2662838pgk.81.1651841237914; Fri, 06 May 2022 05:47:17 -0700 (PDT) Original-Received: from dingbat (220-235-29-41.dyn.iinet.net.au. [220.235.29.41]) by smtp.gmail.com with ESMTPSA id i8-20020aa796e8000000b0050dc762812bsm3320503pfq.5.2022.05.06.05.47.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 May 2022 05:47:17 -0700 (PDT) In-reply-to: Received-SPF: pass client-ip=2607:f8b0:4864:20::52e; envelope-from=theophilusx@gmail.com; helo=mail-pg1-x52e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:289317 Archived-At: Stefan Monnier writes: >> Problem is, Google T&C require that the application ID is kept secret. >> For open source, this is a problem because we cannot add the applicaiton >> ID and keep it secret while making the code open source. > > FWIW, it's also a problem for proprietary applications since the secret > will necessarily be somewhere inside the executable as well. It's a bit > harder to find, and can be obfuscated to some extent, but as long as you > can run the code inside a debugger and you have enough time on your > hands to reverse engineer the workings of that part of the code you can > also extract the application ID. > Yes, that is a flaw. However, requiring the application ID to be kept secret is really the error - it isn't necessary and doesn't improve the security. From what I've read, it was never the intention of the designers of oauth that this value be kept secret. It really exists mainly as an auditing/debugging/troublshooting aid, not part of the authn/authz process. I think this is why some people are trying to get clarification from Google as it is likely their reference to what must be kept secret only includes the applicaiton ID by error/oversight. (I was told this confusion originally occured because of ambiguity in the original oauth documentation, which has subsequently been fixed/clarified). Problem is, most users cannot get past the lower level helpdesk staff or get their issue in front of someone who can actually look at it and do something and even if you could, getting them to care enough to do something is unlikely - the percentage of users impacted is likley just too small compared to other issues they are also dealing with.