E-mail general

Why does Gmail say that 3rd party email apps (IMAP) are insecure? What do they mean by that?

inb4 >Gmail
I'm in the process of ditching it, still need it for a little while.

Other urls found in this thread:

reddit.com/r/galaxynote4/comments/3d2xgw/anyone_know_what_happened_to_bluemail/
sklar.com/2014/10/14/blue-mail/
twitter.com/SFWRedditGifs

Is K9 the best client on Android?

Generally IMAP does not allow access to encrytped filesystem with client-side decryption. Not sure if that's what Gmail minds. Maybe it can't use 2fa?

OP here. I did some reading. Apparently the "problem" with "less secure" apps is that you give them access to your login info (password), whereas with "more secure" apps that use oAuth you don't. Instead the password gets sent directly to Google somehow and the email app only sees some login token, not the password.

Anyway, it seems full of Google specific shit so I don't want to encourage it.
Very few non-Google apps (if any?) support oAuth.

BTW, when you login through your browser you're also using a "less secure" method, since I'm pretty sure the browser and addons (and OS and other software) can see your password.

Because most people don't understand all the implications of security, including most web devs, entry level IT and software developers.

IMAP by itself is completely unencrypted, for starters. Gmail only offers IMAP over SSL, but good luck getting the average person to make sure their cert checking is working properly. Google controls Chrome so they know that the SSL connection to Gmail is safe.

I think this read is somewhat pertinent to you.
secushare.org/PGP
It's at least worth a quick read if you care about email security.

Also I know the title says PGP, but a lot of it deals with SMTP.
Also based on you ditching gmail soon,
I figure you are heading the GPG/OpenPGP route anyway.

>Gmail only offers IMAP over SSL, but good luck getting the average person to make sure their cert checking is working properly.
Surely the popular email clients all do that?

>I figure you are heading the GPG/OpenPGP route anyway.
No, I just want to stop giving Google too much info. It makes me feel sick, because Google is everywhere.

As long as my emails are encrypted from and to the server (so that my ISP can't read them) it's kinda good enough.

Speaking of email and encryption:
do email servers use encryption when sending emails (say, from yahoo to gmail) or are emails sent as plain text?

The link talks about how broken TLS is in most clients,
most just check for a certificate.
They don't verify if it should belong to that mail server.
So man in the middle is incredibly easy.
Like explained.
Thunderbird is a major offender here and many people use it.
TheBat! is a good example of an email client that warns you to death about invalid certificates.

Also it has a lot of short comings that email will always have.

Depends on the email server.
Some support methods read here
secushare.org/federation
It's a very short read:
>Federation is the interchange of data between fixed address servers that authenticate each other by DNS and X.509 and optionally wrap everything into TLS. This describes, non exclusively, SMTP, XMPP and HTTP federation overlays such as OStatus, GNU Social and Diaspora.

Is there a way to get a conversation view in K9, where I can see a thread of emails including my replies?

I recently bought a protonmail account and now use it as my main address. I hope this isn't some Swiss banking jew scam too.

Most of the major providers support in-transit encryption between them like Gmail, Outlook and Yahoo. It's not universal to my knowledge, but the big ones all support it.

So whatever I send can be intercepted and they can see recipient?

Newton (cloudmagic) is the best but you have to pay for it now...... YEARLY. fuckers

Yes. I've used it with OpenSMTPd, Postfix, and Dovecot for five years.

Thunderbird supports oAuth now, so you can use it without switching to "less secure" apps.
I don't know of any free Android app that does, but it is planned for K-9.

But unless you have other valuable things in your Google account (private files, calendar...) it doesn't seem like a big deal.
I mean, your email app will get access to your emails anyway, whether with a password or with a token.

What kind of shit addons and browser are you using that MiTM you?

Is Mutt supporting 0Auth now?

Redbull me on BlueMail.
Free, no ads and they say it supports oAuth too.

Looks bad desu
reddit.com/r/galaxynote4/comments/3d2xgw/anyone_know_what_happened_to_bluemail/
sklar.com/2014/10/14/blue-mail/

And TypeApp seems like a reskin.

bump