Google Gmail Blocks Mozilla Thunderbird

By Xah Lee. Date:

Google Mail is blocking Mozilla Thunderbird to access gmail.

Login to server imap.googlemail.com failed.

I use Thunderbird to download my emails to my computer. But i haven't launched it for several months. Today , i did, and got the error message.

This may have happened as early as .

Solution

To solve it, you have to turn off a new google security feature.

Google allow less secure apps blocks help thunderbird 2015-07-18
from Google support. https://support.google.com/accounts/answer/6010255

Allowing less secure apps to access your account

Google may block sign in attempts from some apps or devices that do not use modern security standards. Since these apps and devices are easier to break into, blocking them helps keep your account safer.

Some examples of apps that do not support the latest security standards include:

The Mail app on your iPhone or iPad with iOS 6 or below The Mail app on your Windows phone preceding the 8.1 release Some Desktop mail clients like Microsoft Outlook and Mozilla Thunderbird

https://support.google.com/accounts/answer/6010255

The Google Way or Highway

Google announced the move to “force” others to use a new security feature, via their official Google blog, at:

New Security Measures Will Affect Older (non-OAuth 2.0) Applications By Google. At http://googleonlinesecurity.blogspot.com/2014/04/new-security-measures-will-affect-older.html , accessed on 2015-07-18〕

Quote:

… We've already implemented developer tools including Google Sign-In and support for OAuth 2.0 in Google APIs and IMAP, SMTP and XMPP, and we're always looking to raise the bar.

In summary, if your application currently uses plain passwords to authenticate to Google, we strongly encourage you to minimize user disruption by switching to OAuth 2.0.

In short, Google wants others to use their security API to login to gmail.

There's the controversy. Is Google forcing others to adopt the Google Way?

Google claims this new way makes things more secure, and allows 2-steps login. (e.g. password plus sending a message to your phone number)

The problem is, the OAuth 2.0 protocol is complex, not just technically, but has political controversy of its own.

Auth is an open standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner.

OAuth 2.0 Controversy

In July 2012, Eran Hammer resigned his role of lead author for the OAuth 2.0 project, withdrew from the IETF working group, and removed his name from the specification. Hammer pointed to a conflict between the web and enterprise cultures, citing the IETF as a community that is “all about enterprise use cases”, that is “not capable of simple.” What is now offered is a blueprint for an authorization protocol, he says, and “that is the enterprise way”, providing a “whole new frontier to sell consulting services and integration solutions.”[7]

In comparing OAuth 2.0 with 1.0, Hammer points out that it has become “more complex, less interoperable, less useful, more incomplete, and most importantly, less secure.” He explains how architectural changes for 2.0 unbound tokens from clients, removed all signatures and cryptography at a protocol level and added expiring tokens because tokens couldn't be revoked while complicating the processing of authorization. Numerous items were left unspecified or unlimited in the specification because “as has been the nature of this working group, no issue is too small to get stuck on or leave open for each implementation to decide.”[7]

Eran later gave a presentation at &Yet elaborating on his views.[26]

David Recordon later also removed his name from the specifications for unspecified reasons. Dick Hardt took over the editor role, and the framework was published in October 2012.[11]

from OAuth

OAuth 2.0 and the Road to Hell By Eran Hammer. At http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/ , accessed on 2015-07-18〕

The Thunderbird people don't exactly see Google's move as benign neither. So far, they have refused to implement the Google way.

gmail says Thunderbird not safe At http://forums.mozillazine.org/viewtopic.php?f=39&t=2852231 , accessed on 2015-07-18〕

https://bugzilla.mozilla.org/show_bug.cgi?id=849540