Re: [SyncEvolution] Google tasks backend
On Tue, 2012-10-02 at 10:59 +0300, Jussi Laako wrote:
On 2.10.2012 9:40, Ole Wolf wrote:
> The code currently demonstrates that Google's requirement that users
> manually authorize applications to access their data can easily be
> circumvented, meaning that it provides a false sense of security. All
> you need to do is provide your Google username and password to an
> application, and it will be able to do anything with any of your Google
> data without you knowing any better.
Users should never enter their Google credentials to any application
asking for those. Only in either browser authorization page or in a
trusted SSO user agent.
The problem is that on most Linux systems, neither browser nor such a
SSO agent are currently necessarily safer or more trustworthy than the
app itself. But I agree that reducing the amount of code which gets
access to the main credentials is a step in the right direction.
A benefit for users on unsecured systems is that the central code can be
taught to set up two-factor credentials for an app, to detect when
Google wants an acknowledgment via the web browser from the user, etc.
Replicating that in all apps which need to log into Google is just a
duplication of effort.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.