Tuesday, August 18, 2015

On how not to do things right

Recently one of the users of our SecureBlackbox product has reported, that the SMTP client component can't login to GMail with a strange message: "Someone just tried to sign in to your Google Account [my email] from an app that doesn't meet modern security standards". 

The message itself doesn't sound like having lots of sense, as it neither explains the problem ("doesn't meet standards" is not an explanation) nor it suggests a solution. 

Forum search has taken me to an the answer in Google knowledgebase, which doesn't add much to the error message' explanation either. While it offers a partial solution for the owner of the mailbox, it does not explain what exactly happens.

Finally another forum post has driven me to the what could be an explanation, although it's only a hint. Turns out that Google has implemented OAuth2 in protocols like SMTP and IMAP. And here lies a huge problem.

OAuth2 is a web-based protocol which in many cases involves the web browser and user interaction. This makes fully automated operations nearly impossible and also significantly complicates the implementation of any client. 

There exist plenty of authentication schemes which prevent password transfer and/or allow third-party servers to be used for authentication. Google seems to have chosen the worst least appropriate variant instead.

Google is known for non-standard technical and business solutions. And they mostly work for users' and Google's own benefits. But some solutions seem not just to be not tested, but not to pass any sanity check.