Picasa upload not secure: asks for Google Password

This is a known issue. The move to OAuth/OpenID is ticketed as an enhancement upstream here: http://trac.yorba.org/ticket/3445

shotwell uses the password to get a sessionkey, the password is not stored.. Only the session-id is stored in gconf / dconf

As the upstream dev who wrote Shotwell's Picasa Connector, I can clarify one or two things here. What we're really talking about here are two separate issues:

Issue 1: does Shotwell store any user credentials locally that might present a security risk?

Issue 2: should Shotwell use OAuth authentication for Picasa?

As regards issue 1, Shotwell stores no password information locally whatsoever. When the user types in his or her password in the Picasa Login Pane, it's held in memory only to prepare a secure HTTP request to retrieve a ClientLogin access token. When we request this access token, Shotwell only asks for a limited set of permissions. So there's no risk of Shotwell reading your GMail.

As regards issue 2, Shotwell uses an older Google authentication API called ClientLogin instead of OAuth. This older API is now deprecated and is not recommended for new development (see https://developers.google.com/accounts/docs/AuthForInstalledApps) so we should probably update the Shotwell Picasa Connector to use OAuth. That said, there's no indication that ClientLogin is any less secure than OAuth. ClientLogin is just old.

> That said, there's no indication that ClientLogin is any less secure than OAuth. ClientLogin is just old.

False. The whole point of OAuth is that users don't have to trust random software. I'm new to Shotwell, and it's asking me for my gmail password. How do I know (how could I ever know outside fo reading the codebase) that you aren't trying to get into my email? Doing so would allow you:

1. Access to my money through paypal and online banking
2. The ability to hack my servers (through poking around through logs and such)
3. To steal my identity
4. Basically to ruin my life for a while.

On top of this, when apps innocently ask users for their password, it teaches users bad behaviors, since they become accostomed to giving out their password to random applications. Not a good situation.

Email requires *incredibly* high levels of security, and Shotwell should *never* ask for a user's password to it.

Good point. (On the other hand, it could be said that you have to completely trust *any* software that you run on your local machine, at least with today's operating system architectures. Even if Shotwell doesn't ask for your password directly, if the software is malicious it could install a keylogger or a browser plugin or a similar hack to grab the password when you enter it into another application. I believe that some such attacks are viable even if Shotwell doesn't run as root.)

In any case, I think it's time for Shotwell to switch to OAuth/OpenID. I've marked the upstream ticket (http://trac.yorba.org/ticket/3445) for the next Shotwell release (0.13).

ClientLogin is old technology. It doesn;t provides the secure handshake as today. I agree Shotwell should switch to switch to OAuth/OpenID. OAuth/OpenID may make your online experience simpler by providing the necessary info to the servers instead of signing up an extra account for the site. There are some HTTPS SSL encyrption to improve.

Shotwell has already switched (in the recent 0.13.0 release) to using OAuth for Picasa authentication. See

http://redmine.yorba.org/issues/3445#note-8

So I'm marking this bug fixed.