Why does Google call Thunderbird "less secure"?

I've never had problems using Gmail with Thunderbird yet, but while trying to use a free software client for Google Talk/Chat/Hangout I've discovered that, according to Google's document on "less secure apps":

Some examples of apps that do not support the latest security standards include [...] Desktop mail clients like Microsoft Outlook and Mozilla Thunderbird.

Google then offers an all-or-nothing secure vs. non secure account switch ("Allow less secure apps").

Why does Google say Thunderbird "does not support the latest security standards"? Is Google trying to say that standard protocols like IMAP, SMTP and POP3 are "less secure" ways to access a mailbox? Are they trying to say that the use users make of that software puts their accounts at risk? Or what?

Secunia's Vulnerability Report: Mozilla Thunderbird 24.x (where is 31?) says «Unpatched 11% (1 of 9 Secunia advisories) [...] The most severe unpatched Secunia advisory affecting Mozilla Thunderbird 24.x, with all vendor patches applied, is rated Highly critical», apparently SA59803.

Update 2: as of 2018, Google double downs by sending messages to invite disabling "less secure" access:

Update: OAuth2 is available in Thunderbird 38, with further fixes in later releases, and bug 849540 has been closed. I'm still not clear about the goals of all this circus.

Nemo

Posted 2014-12-22T16:47:03.450

Reputation: 1 050

7Relevant Bugzilla issue. – Bob – 2014-12-23T02:56:01.367

2If you have two-factor authentication enabled on the account, you can generate an application-specific password for Thunderbird. – Ry- – 2014-12-23T03:22:46.743

8This really calls for the answer "Because Google is wrong." – Joshua – 2014-12-23T16:18:34.523

Related from Security.SE: What are the dangers of allowing “less secure apps” to access my Google account? (I think the practice of letting third parties see your credentials is fairly called "less secure", but it's totally unclear to me what security benefit Google gives by denying authentication after you've already given away your credentials.)

– apsillers – 2014-12-23T17:11:40.290

Answers

It's because those clients (currently) don't support OAuth 2.0.

...beginning in the second half of 2014, we'll start gradually increasing the security checks performed when users log in to Google. These additional checks will ensure that only the intended user has access to their account, whether through a browser, device or application. These changes will affect any application that sends a username and/or password to Google.

To better protect your users, we recommend you upgrade all of your applications to OAuth 2.0. If you choose not to do so, your users will be required to take extra steps in order to keep accessing your applications.

...

In summary, if your application currently uses plain passwords to authenticate to Google, we strongly encourage you to minimize user disruption by switching to OAuth 2.0.

Source: "New Security Measures Will Affect Older (non-OAuth 2.0) Applications" - Google Online Security Blog

Ƭᴇcʜιᴇ007

Posted 2014-12-22T16:47:03.450

Reputation: 103 763

Thanks, checking the Google Online Security Blog was my next planned step. :) And "plain passwords" includes encrypted passwords, for them? – Nemo – 2014-12-22T17:32:18.927

@nemo "And "plain passwords" includes encrypted passwords, for them?" that's my understanding. Anything that isn't OAuth 2.0 are "plain passwords" to them it would seem. :) – Ƭᴇcʜιᴇ007 – 2014-12-22T17:35:18.257

14The issue isn't really security, it's quality control for data mining. Real security would be preventing Google from mining your personal data. – fixer1234 – 2014-12-22T19:03:46.213

19@fixer1234 Personally I think it's more about Google wanting to force a web browser to be involved (2nd step in authentication), with the hope that you'll eventually be annoyed into using only (Google's) web mail client. ;) – Ƭᴇcʜιᴇ007 – 2014-12-22T19:06:09.640

24@Nemo "Plain passwords" does not refer to whether the passwords are encrypted in-transit, but to whether the third-party application (in this case, Thunderbird) has access to your plain text Google Account password. With OAuth, it does not. Depending on how secure, and how trustworthy the third-party app is, whether or not it stores your plain text password could be a critical security issue. – Ajedi32 – 2014-12-22T20:59:16.550

10Ajedi32, I understand what they mean, but the terminology isn't clear.

On this answer, it's technically correct, but IMHO not satisfactory. What sense does it make to declare "less secure apps" to access gmail include Thunderbird, but not web browsers which most of the times store passwords, sometimes not even encrypted? – Nemo – 2014-12-22T22:54:20.443

OTOH they say "We leverage the work done by the IETF on OAuth 2.0 integration with IMAP, SMTP, POP, XMPP" so they have the decency to leave the door open for open standards. – Nemo – 2014-12-22T23:01:12.043

The blog post is about web apps, other web site that allow auth via google. it's not informative about this question. – bmargulies – 2014-12-23T02:38:05.823

4OAuth is more secure because it only need to decrypt the keyring (i.e. passwords in plain text) for the very short duration while you authorize the mail agent, this is true whether you do the authentication in browser or if the mail software itself supports inbuilt OAuth authorization. If the mail software doesn't use OAuth, you'll need the keyring unlocked practically all the time, thus defeating the purpose of encryption (also your password is at risk every time you suspend or hibernate the computer with the keyring unlocked). – Lie Ryan – 2014-12-23T03:40:54.213

1@Nemo: if you use the remember authentication when accessing your mail in the browser, the password is exchanged for a cookie (essentially an OAuth token). Until the remember me timeout or unless doing actions that require forced reauthentication, the web client don't need to have your password or the keyring unlocked. – Lie Ryan – 2014-12-23T03:46:46.863

@LieRyan, yes, good point, but:

in a browser, you have a cookie always on instead, and stealing the cookies (which is much easier than exploiting a keyring, I'd say) allows you to change the password in most cases, unless there's a secondary verification step;
having the keyring open in Thunderbird is, I'd think, less dangerous than having it open on browsers, cf. http://blog.xbc.nz/2014/12/how-android-password-managers-fall-prey.html:

so, again, shouldn't Google call browsers "less secure" for users who don't have additional protections, instead of targeting email and chat clients?

– Nemo – 2014-12-25T17:21:48.053

@Nemo: changing password for Google Account do require reauthentication with password, IIRC. The cookie alone cannot be used to change password. – Lie Ryan – 2014-12-25T18:55:29.350

Starting with Thunderbird 38 OAuth 2.0 is supported, see https://support.mozilla.org/en-US/kb/thunderbird-and-gmail and https://support.mozilla.org/en-US/kb/thunderbird-and-gmail

Note: If you have an existing gmail account in Thunderbird, you have to change the authentication method in you account settings:

For IMAP in GMail Account settings > Server Settings > Authentication method: "OAuth2"

and for SMTP (sending) there is a separate setting, choose Google Mail (smtp.googlemail.com) > Edit Authentication method again to OAuth2.

(Well, you also could remove your GMail account and create a new one.)

Pedi T.

Posted 2014-12-22T16:47:03.450

Reputation: 179

Is this still an open and standard protocol? How many email clients support it? What are its security benefits? (Your answer is good but until I see such points addressed I don't consider the original question resolved.) – Nemo – 2018-03-19T11:28:56.933

2Well, I've no idea what security issues the other authentication options have, although I'm interested myself. I was only looking for a practical solution how I can continue using TB with GMail and avoid this warning message :-) – Pedi T. – 2018-03-20T07:47:48.933