WHY the Thunderbird VS gmail-Google Security process CONFLICT?

bryanleeward · March 18, 2019, 8:13pm

PLEASE HELP… this effects many Thunderbird & gmail users:

Every few months I get “Security” alerts from Google re my gmail Security Settings, saying: “Turn off less secure access.” IF I do that, then I can’t boot Thunderbird!
I’ve had same problem with Thunderbird-gmail using Debian, Trisquel, and Ubuntu.

Yet ironically, when I receive these Google alerts, Thunderbird gives also gives me a warning - “To protect your privacy, Thunderbird has blocked remote content in this message.”

IE to get Thunderbird and gmail to work together, I have to disregard BOTH your security alerts! WHY?.. but more importantly:

Is there a way to keep max Google Security Settings AND still use Thunderbird?_____
Is Thunderbird really less secure, even with other email systems?______

Thanks for any help,
Bryan

dugite-code · March 20, 2019, 6:40am

First of all there is nothing to be concerned about

Google considers all 3rd party access to email i.e. Thunderbird, Outlook ect to be Less secure than the web interface. This is both correct and incorrect depending on your situation. Google’s max security disables 3rd party access to your emails, this allows them to: block bad IP’s, use two factor auth and use browser fingerprinting to detect illegitimate access.

Thunderbird is not insecure at all. Google just want’s the majority of users to go through a more limited access method.

I don’t ever see such emails because I enabled two factor auth and use an app password with a limited scope to the Mail app. Consider going this route if it concerns you.

Thunderbird blocks remote content. I.e. it stops images and other files from being loaded from the internet when viewing an email. As email is mostly html automatically loading images from the web is not a great idea security wise. Initially this will be a pain point but you eventually build up a white-list of legitimate remote content, nice and secure.

I recommend using the allow from domain names rather than sender address as that’s harder to spoof than an email address:

bryanleeward · March 20, 2019, 8:50pm

Thanks very much
for both the useful information and practical “how-to”
suggestions!

    I'll be sure to use TB's "Allow remote content.." from Secure

Domains only, and Not for any specific email addresses.

    I don't think I can use the "2 factor auth" or "app PWD with a

limited scope…", but now I’m not significantly concerned about
additional precautions.

    Bryan

MattAU · April 6, 2019, 1:50am

If you use oauth Authentication method then you do not need to use less secure apps. But at the moment that is limited to IMAP mail accounts only.

I filed a bug a couple of weeks ago to add POP accounts as it would appear Google now support them, but there has been no action on that front as yet. https://bugzilla.mozilla.org/show_bug.cgi?id=1538409

bryanleeward · April 7, 2019, 12:36am

Hi Matt

    Thank you for the info.  I am using a POP acct., and have for a

few years via Thunderbird. At this point I don’t recall for
certain, but I think at one point it caused no need to choose to
set Google to “allow insecure apps”… but it has for some time
now. I hope that that bug report you filed will lead to Google
being more accommodating of Thunderbird… I get the impression
the problem is caused by unnecessary “security” requirements on
Google’s part. I only use a computer to access gmail, no other
apps; and I don’t care to give Google my phone number - they
track too much for my liking as is. SO, far as I know that
means I can’t use the “2 factor auth” or an “app PWD”. IF
Google does drop the current need to “Allow less secure apps”,
in order to be able to use Thunderbird, I hope they’ll notify
their gmail users!