[Users] Migrating account authentication from basic POP to OAuth2

Jeffrey Walton noloader at gmail.com
Wed Dec 21 18:46:42 UTC 2022


On Wed, Dec 21, 2022 at 5:42 AM Paul <paul at claws-mail.org> wrote:
> Paul Rolland <rol at witbe.net> wrote:
>
> > No, I mean "basic authentication with POP3", the "legacy one" that was
> > defined in POP3 RFC (User xxx, Pass yyy).
>
> OK. But, of course, you've been using TLS to secure your log-in up to now.
>
> There seemed to be a subtext to your original, as if you were somehow
> improving your security by switching to oauth2, when using a username and
> password with TLS is no less secure than oauth2.

If you only look at the execution of one instance of the protocol in
isolation, then basic_auth and oauth have about the same properties.
Oauth may do a little worse in this case since the user and email
service are a relying party, so there is trust involved.[*] The
interesting case is over time after multiple instances of the protocol
have been executed. Even though trust is still involved, the outcomes
are usually better over time using oauth.

You also have to understand how PKIX operates and the agent security
model. The agent has likely inherited the web security model through
choice of dependent components. That's a lot of attack surface for
several reasons, like Priority of Constituencies.[1]

> There always seems to be this subtext, that somehow oauth2 is more secure,
> being stressed, and not enough refuting of it. If you use "12345" or similar
> weak passwords, and you reuse those passwords across all your log-ins then,
> yes, oauth2 can help. But no-one in their right mind would do that. In my
> view, it is always better to educate than secure people in their ignorance.

What the security community found (through years of trial and error,
and security usability studies), is that most users are in the group
that is labeled as "not in their right mind." You have to design a
system that works around the user's bad choices and bad behaviors.

A good read on the subject matter is Peter Gutmann's Engineering
Security.[2] See Chapter 2 on Psychology. It explains how a typical
user thinks, and why they think and act the way they do. (Gutmann's
PhD dissertation was related to security and usability, and how to
build secure systems despite users making bad choices).

Jeff

[*] Trust is a tricky concept to model. But I usually say, Trust is
what you use when you don't have a security control to place.

[1] https://www.w3.org/TR/design-principles/
[2] https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf


More information about the Users mailing list