Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm not giving away anything to anyone when I locally install and configure an email client on my computer to access my gmail email account. It's my software I control on my computer.

The idea that people should only use a google application to access google email sounds crazy to me but I understand the situation is different on smartphones where you aren't in control.



You have to trust the email client's developers to not be malicous, to not write insecure software, to not get hacked, and not sell to someone malicous. And on desktop it's worse since they are less secure as programs can typically read each other's files meaning some random program can read your Google account password that the email client is using.


I don’t mind two step authentication using TOTP but as soon as you sign in to an android device with a google account, google decides to use that device for two step authentication and there’s no way to stop that short of signing out of google on the device.

But also how do app specific passwords protect you if you have malicious software on your computer rifling through your files?


App-specific passwords are limited to just a couple of services, so somebody stealing one of them can cause a lot less damage than if they got the actual Google password. The app-specific passwords are going to be unique rather than something you've reused on dozens of services, so the password being stolen won't be automatically pivoted to compromising your other accounts. Finally, their use can be audited, and each app-specific password can be revoked independently of each other and of the credentials giving full access to the account.


>But also how do app specific passwords protect you if you have malicious software on your computer rifling through your files?

It minimizes the blast radius if it is compromised. A Google account provides access to much more than just email.


It's the very same with trusting Google, and my trust in Google is much, much lower than my trust in the developers of the applications I use. Google is a fairly untrustworthy company, which is why I don't use Gmail personally. Unfortunately, I'm forced to use it at my university.


Libre software it's a thing. Is not 1990 any more. Also, passwords in mail clients are often encrypted.


>Libre software it's a thing.

Most consumers do not know how to check source code for backdoors. Most consumers do not know how to compile from source.

>Also, passwords in mail clients are often encrypted.

Which means they have to be decrypted at some point. Malicous software can decrypt it itself, or steal it after it has been decrypted.


If I believed in conspiracy theories, I'd say that Google encourages the security theater* industry to make you distrust your devices so they can have all your data.

* There are real security vulnerabilities, and there are end-of-the world articles that try to make you believe the whole world is at risk via some complex exploit that requires the attacker to obtain local root some other way.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: