Feature #11798
Document usage of unfriendly email providers using Icedove in Tails
100%
Description
see https://labs.riseup.net/code/issues/11536#note-10
We need to document that “some unfriendly E-mail providers, like GMail, don’t work well in Icedove in Tails”. Gmail used OAuth, Javascript and deems that using Thunderbird is “insecure”. Furthermore their protection against connections from various places in the world sort of blocks Tor unless the user allows all this specifically and so on and so on.
Subtasks
Related issues
|
Related to Tails - |
Resolved | 2016-06-17 |
History
#1 Updated by Anonymous 2016-09-15 02:01:31
- related to
Bug #11536: Icedove autoconfiguration is broken for ISPs serving a OAuth config added
#2 Updated by Anonymous 2016-09-15 02:02:34
- Target version set to Tails_2.6
- Affected tool set to Email Client
#3 Updated by intrigeri 2016-09-15 04:18:42
- Deliverable for set to 268
#4 Updated by anonym 2016-09-20 16:54:19
- Target version changed from Tails_2.6 to Tails_2.7
#5 Updated by intrigeri 2016-09-30 01:15:46
- Status changed from New to Confirmed
#6 Updated by Anonymous 2016-10-04 13:05:29
- Status changed from Confirmed to Resolved
- % Done changed from 0 to 100
- QA Check set to Pass
Peer reviewed during meeting.
#7 Updated by Anonymous 2016-10-04 13:05:48
- Assignee deleted (
)
#8 Updated by sajolida 2016-10-06 20:59:12
- Assignee set to sajolida
- QA Check changed from Pass to Ready for QA
#9 Updated by intrigeri 2016-10-07 16:45:05
- Status changed from Resolved to In Progress
(Since that’s Ready for QA.)
#10 Updated by sajolida 2016-11-06 17:34:24
- Assignee deleted (
sajolida) - QA Check changed from Ready for QA to Info Needed
- Feature Branch set to doc/11798-unfriendly-email-providers
So I started improving the phrasing only of your note with f02222e..2b919d0. Please check that I didn’t distorted any meaning.
Then I tried to configure my GMail account in Tails and failed. As I understand your note, it should be complicated but possible. Still, I couldn’t make it. I also didn’t understand how the Google page that you are linking would help. Still, the Thunderbird documentation seem to pretend that it’s possible to use Thunderbird 38+ with GMail: https://support.mozilla.org/en-US/kb/thunderbird-and-gmail
So know I’m wondering how we could be more helpful and prevent people from failing like I did. For that I need to understand things better:
- It is actually completely impossible to configure Thunderbird in Tails to use GMail? If so, then should be more explicit about that.
- It is possible in Thunderbird outside of Tails but not inside of Tails? Where does the difference come from? Understanding this would help me know what to document.
- If it is possible but complicated what do people have to do? Just quickly… I can do some more research and testing myself.
#11 Updated by sajolida 2016-11-06 18:17:11
I investigated a bit more. If I understood correctly, OAuth is the mechanism to give app tokens but it’s only required when 2-step authentication is activated for the Google account.
When I tried with 2-step verification turned on, I got an email notification saying that “less secure apps” were blocked with no other option when 2-step verification was turned on.
Then I tried to turned off 2-step verification and I also allowed “less secure apps” to connect. So this time my Google account was not expecting OAuth (if I understood correctly). But then I still got my password rejected in Icedove and with no email notification whatsoever.
#12 Updated by intrigeri 2016-11-07 10:17:40
- Deliverable for changed from 268 to SponsorS_Internal
#13 Updated by sajolida 2016-11-08 19:28:46
I did some more testing today outside of Tails to understand the situation better:
- I installed Thunderbird without Tor.
- I configured GMail in the configuration assistant.
- I got redirected to a login page in the browser (I understands that’s OAuth).
- Once logged in, I got to another web page to allow Thunderbird Email to view and manage my mail.
- I clicked “Allow” and got back to Thunderbird with a working IMAP. I was happy.
- I got a notification on my phone to which I answered that it was really me.
So OAuth is working fine for GMail in Thunderbird outside Tails and without Tor. And I understood wrongly yesterday and OAuth is not only used when using 2-step verification.
Then I tried outside Tails with TorBirdy:
- I deconfigured the previous account.
- I installed TorBirdy.
- I had to configure my account manually because TorBirdy disables the assistant. But “OAuth2” was there as an authentication option and preselected for me.
- I tried to connect and got a browser with the same OAuth web page.
- I entered my password but the resulting page was like an error page saying that it needed JavaScript.
- I closed this browser window and Thunderbird said that it failed connecting to my account.
So my understanding is that GMail from Thunderbird doesn’t work with TorBirdy because TorBirdy blocks all JavaScript.
Now, in Tails I don’t even get this browser window. So we did something else that blocks it. But it doesn’t really matter because it’s not working with TorBirdy in the first place.
My conclusion from all this testing is that it’s impossible to use GMail from Tails (or from Thunderbird with TorBirdy) and not “might not work well”. Sure, Google triggers tons of security verification when you try to use Thunderbird (or Tor Browser) but what’s not working in Thunderbird + TorBirdy or Tails is OAuth and JavaScript because we block it. It’s not Google preventing you to use this software combination.
If you confirm my analysis, then I’ll propose a new phrasing for you note.
#14 Updated by sajolida 2016-11-08 19:32:59
Reading Bug #11536 (a bit late) seems to confirm what I tested today.
#15 Updated by Anonymous 2016-11-09 09:39:01
sajolida wrote:
> I did some more testing today outside of Tails to understand the situation better:
Thanks.
Do you think you could make one more test please? Like trying to use POP? According to https://autoconfig.thunderbird.net/v1.1/gmail.com (that’s the official ISP database entry for Gmail) OAuth is not needed for POP. (But it is for SMTP still.) I’m just curious.
> My conclusion from all this testing is that it’s impossible to use GMail from Tails (or from Thunderbird with TorBirdy) and not “might not work well”. Sure, Google triggers tons of security verification when you try to use Thunderbird (or Tor Browser) but what’s not working in Thunderbird + TorBirdy or Tails is OAuth and JavaScript because we block it. It’s not Google preventing you to use this software combination.
> If you confirm my analysis, then I’ll propose a new phrasing for you note.
That’s very welcome.
Please also note that there are other email providers using OAuth, and those would be affected too.
(mail.ru, googlemail.com, inbox.ru, google.com, list.ru, jazztel.es, bk.ru, corp.mail.ru)
#16 Updated by Anonymous 2016-11-09 09:39:24
- Assignee set to sajolida
- QA Check changed from Info Needed to Dev Needed
Reassigning to you then.
#17 Updated by sajolida 2016-11-11 09:32:22
- Assignee deleted (
sajolida) - QA Check changed from Dev Needed to Ready for QA
POP and SMTP are working without TorBirdy but stop working as soon as I activate TorBirdy.
So I rewrote your note in 2b919d0..c1a1e4b to make it clear that it’s plain impossible. Please review.
I simplified the list to “GMail and Mail.ru” because all of the others are brandings of these two only.
#18 Updated by Anonymous 2016-11-15 09:31:10
- QA Check changed from Ready for QA to Pass
#19 Updated by Anonymous 2016-11-15 13:28:05
- Assignee set to sajolida
Maybe you could merge it please?
#20 Updated by bertagaz 2016-11-17 17:38:36
- Target version changed from Tails_2.7 to Tails_2.9.1
#21 Updated by sajolida 2016-11-21 11:07:15
- Status changed from In Progress to Resolved
- Assignee deleted (
sajolida)
Merged.