Andy Burns wrote:

> in Thunderbird the token is stored along with passwords, you may need to enter
> your master password to view it.

I don't want more security with my MUA; I want more privacy.

After May 30th, we have four choices (apparently) for security.
1. OAuth2 at least does not require 2FA/2SV but is it keyed to a host?
2. App Passwords requires 2FA/2SV - which if you remove - disables it
3. Password-tokens also require 2FA/2SV - which if you remove - disables it
4. Google Authenticator also requires 2FA/2SV in order to work

We have to keep in mind privacy and security are two completely separate
things in many ways.

We could summarize this difference simply (if a bit inaccurately) as
a. Google doesn't care about your privacy
b. But Google is doing this for your security

Given those are your only choices after May 30th, which of those four
equates to the most privacy (if you don't want the additional security)?

Currently I have Thunderbird set to OAuth2 which I was planning on setting a
good MUA on Android/iOS also to the OAuth2 Framework (it's not a protocol).
<https://datatracker.ietf.org/doc/html/rfc6749> (link by Andy Burns)

I appreciate that Andy Burns said it may be wrong that Google's OAuth2 is
keyed to a specific host, as Andy saw what I saw (I think it was from
VanguardLH) who said that was the case.

Anyone can tell me I'm wrong because my self esteem isn't in my opinions but
in my knowledge of the facts, where I looked at the article Andy Burns cited
and searched for 'host' which was found 20 times but I didn't understand.

The only thing I care about, in terms of privacy, is what loss of privacy do
I have with the OAuth2 method as compared to the 2SV/2FA methods (since
those are my only choices).

Does anyone know?

What are the relevant privacy implications of OAuth2 when used with TB?

Without that answer, we can't make an intelligent selection given we _must_
make a selection after May 30th for whatever non-Google MUA we select.

Op 21-03-2022 om 21:45 schreef Andy Burnelli:
> Andy Burns wrote:
>
>> in Thunderbird the token is stored along with passwords, you may need
>> to enter your master password to view it.
>
> I don't want more security with my MUA; I want more privacy.
>
> After May 30th, we have four choices (apparently) for security.
> 1. OAuth2 at least does not require 2FA/2SV but is it keyed to a host?
> 2. App Passwords requires 2FA/2SV - which if you remove - disables it
> 3. Password-tokens also require 2FA/2SV - which if you remove - disables it
> 4. Google Authenticator also requires 2FA/2SV in order to work
>
> We have to keep in mind privacy and security are two completely separate
> things in many ways.
>
> We could summarize this difference simply (if a bit inaccurately) as
> a. Google doesn't care about your privacy
> b. But Google is doing this for your security
>
> Given those are your only choices after May 30th, which of those four
> equates to the most privacy (if you don't want the additional security)?
>
> Currently I have Thunderbird set to OAuth2 which I was planning on
> setting a
> good MUA on Android/iOS also to the OAuth2 Framework (it's not a protocol).
> <https://datatracker.ietf.org/doc/html/rfc6749> (link by Andy Burns)
>
> I appreciate that Andy Burns said it may be wrong that Google's OAuth2 is
> keyed to a specific host, as Andy saw what I saw (I think it was from
> VanguardLH) who said that was the case.
>
> Anyone can tell me I'm wrong because my self esteem isn't in my opinions
> but
> in my knowledge of the facts, where I looked at the article Andy Burns
> cited
> and searched for 'host' which was found 20 times but I didn't understand.
>
> The only thing I care about, in terms of privacy, is what loss of
> privacy do
> I have with the OAuth2 method as compared to the 2SV/2FA methods (since
> those are my only choices).
>
> Does anyone know?
>
> What are the relevant privacy implications of OAuth2 when used with TB?
>
> Without that answer, we can't make an intelligent selection given we _must_
> make a selection after May 30th for whatever non-Google MUA we select.

You should never use the words privacy and Google in one sentence.
The moment you use Gmail your privacy is out of the window.
This has absolutely nothing to do with Thunderbird and the way you'd
authenticate.

Dirk T. Verbeek wrote:

> This has absolutely nothing to do with Thunderbird and the way you'd
> authenticate.

With Thunderbird, and all non-Google MUAs, you will have to choose after May
30th if you're not already using one of these four methods to authenticate.
1. OAuth2
2. App Passwords
3. Password-tokens
4. Google Authenticator

Windows:
<https://googleauthenticator.net/>
Android:
<https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2>
iOS:
<https://apps.apple.com/us/app/google-authenticator/id388497605>

Given many are using OAth2 with Thunderbird, the question is how do the
privacy implications differ from the other three authentication methods.
<https://i.postimg.cc/MGfN2Z7r/gmailpasswd01.jpg> Google May 30 nastigram
<https://i.postimg.cc/2yBvxJhJ/gmailpasswd02.jpg> Due to K9-Mail password
<https://i.postimg.cc/432zCNgx/gmailpasswd03.jpg> Win TB is set to OAuth2
<https://i.postimg.cc/MGs3HSyn/gmailpasswd04.jpg> As are some Android MUAs
<https://i.postimg.cc/cL9r9qFW/gmailpasswd05.jpg> Less secure app access on
<https://i.postimg.cc/RhHkj4gJ/gmailpasswd06.jpg> TB imap & oauth settings
--
Every post to Usenet should strive to add value so that all always benefit.

On 3/21/2022 2:33 PM, Andy Burnelli wrote:
> Dirk T. Verbeek wrote:
>
>> This has absolutely nothing to do with Thunderbird and the way you'd
>> authenticate.
>
> With Thunderbird, and all non-Google MUAs, you will have to choose after May
> 30th if you're not already using one of these four methods to authenticate.
> 1. OAuth2
> 2. App Passwords
> 3. Password-tokens
> 4. Google Authenticator

[snipped]

5. Do not use Gmail. Use a real ISP's E-mail service.

--
David E. Ross
"A Message to Those Who Are Not Vaccinated"
See my <http://www.rossde.com/index.html#vaccine>.

On Mon, 21 Mar 2022 21:33:54 +0000, Andy Burnelli wrote:

> With Thunderbird, and all non-Google MUAs

Which of those methods does the Google GMail app use to authenticate?

On 22/3/2022 4:45 am, Andy Burnelli wrote:
> Andy Burns wrote:
>
>> in Thunderbird the token is stored along with passwords, you may need to enter
>> your master password to view it.
>
> I don't want more security with my MUA; I want more privacy.
>
> After May 30th, we have four choices (apparently) for security.
> 1. OAuth2 at least does not require 2FA/2SV but is it keyed to a host?
> 2. App Passwords requires 2FA/2SV - which if you remove - disables it
> 3. Password-tokens also require 2FA/2SV - which if you remove - disables it
> 4. Google Authenticator also requires 2FA/2SV in order to work
>
> We have to keep in mind privacy and security are two completely separate
> things in many ways.

If you wanna go military, don't trust tools not programmed by youself
nor your country/religion? ;)

Gmail and Yahoo Mail are always working as they are. Normal users cannot
change them.

On 3/21/22 13:45, Andy Burnelli wrote:
> Andy Burns wrote:
>
>> in Thunderbird the token is stored along with passwords, you may need
>> to enter your master password to view it.
>
> I don't want more security with my MUA; I want more privacy.
>
> After May 30th, we have four choices (apparently) for security.
> 1. OAuth2 at least does not require 2FA/2SV but is it keyed to a host?
> 2. App Passwords requires 2FA/2SV - which if you remove - disables it
> 3. Password-tokens also require 2FA/2SV - which if you remove - disables it
> 4. Google Authenticator also requires 2FA/2SV in order to work
>
> We have to keep in mind privacy and security are two completely separate
> things in many ways.
>
> We could summarize this difference simply (if a bit inaccurately) as
> a. Google doesn't care about your privacy
> b. But Google is doing this for your security
>
> Given those are your only choices after May 30th, which of those four
> equates to the most privacy (if you don't want the additional security)?
>
> Currently I have Thunderbird set to OAuth2 which I was planning on
> setting a
> good MUA on Android/iOS also to the OAuth2 Framework (it's not a protocol).
> <https://datatracker.ietf.org/doc/html/rfc6749> (link by Andy Burns)
>
> I appreciate that Andy Burns said it may be wrong that Google's OAuth2 is
> keyed to a specific host, as Andy saw what I saw (I think it was from
> VanguardLH) who said that was the case.
>
> Anyone can tell me I'm wrong because my self esteem isn't in my opinions
> but
> in my knowledge of the facts, where I looked at the article Andy Burns
> cited
> and searched for 'host' which was found 20 times but I didn't understand.
>
> The only thing I care about, in terms of privacy, is what loss of
> privacy do
> I have with the OAuth2 method as compared to the 2SV/2FA methods (since
> those are my only choices).
>
> Does anyone know?
>
> What are the relevant privacy implications of OAuth2 when used with TB?
>
> Without that answer, we can't make an intelligent selection given we _must_
> make a selection after May 30th for whatever non-Google MUA we select.

I have a lot of utilities out that that are using "less
secure Apps" enabled to send mail through smtp.gmail.com.

This google b*** s*** is going to break them all.