Doesn't use secure API service
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| GMail Notifier |
New
|
Undecided
|
Unassigned | ||
| gm-notify (Ubuntu) |
Triaged
|
Wishlist
|
Unassigned | ||
Bug Description
Binary package hint: gm-notify
It would be more secure if gm-notify didn't actually ask for the user's password, but instead authenticated with a Gmail API key thing. (I'm sorry if you can't understand me, I'm not a technical person.) You may have seem Flickr do this with its client applications, for example.
This would have the following advantages:
1. The permission granted to each copy of gm-notify would be easily revocable.
2. It would mean the password can't be directly stolen.
3. If the key was stolen or misused, it could only access a limited amount of the data associated with you Google Account. E.g. just headers of received emails.
4. Should there be a security hole in this program allowing attackers to steal login info, it would be easier for Google to pinpoint that it was this application that had the security hole.
5. It might be slicker and more convenient to the user.
(Alternatively, the application should be tested with Google's two-factor authentication. Currently, it seems a bit problematic, even when you use the application-
Ubuntu 11.04 Natty.
0.10.3-0ubuntu1 (gm-notify)
Thank-you.
| Changed in gm-notify (Ubuntu): | |
| importance: | Undecided → Wishlist |
| status: | New → Triaged |
| Grummfy (grummfy) wrote | #1 |
| information type: | Public → Public Security |
| information type: | Public Security → Public |
Hello,
this also add the advantage that people who activate the double authentification factor will have it for no effort ;)