According to Google, that is–you have to go through a rigamarole to register Outlookwith them to access your account, accepting a page that adjusts your authentication to allow “less secure” apps as a group.
It’s basically a variation of the “not invented here” fallacy. In this case., anything not more or less directly controlled by Google in deemed untrustworthy. All the big Tech concerns do it - Google, Apple, M$, whatever. The intent is to keep you steered in their direction and away from competitors.
It looks like it is talking about external apps that can access your email account. If you want to give an app (like an external email program) permission to access your account, the simplest way is to give the app your username and password and let it log into your account as if it was you (and giving it the exact same permissions as you). This opens up the possibility that a malicious app could abscond with your credentials, or that a buggy app could expose your credentials to malicious third parties accidentally.
The other option is something like OAuth2 where instead of giving the app your username and password, you talk to your email account provider (e.g. Google) and say “here is this app that I want to let access my account, and I want to give it permission to do these things”, and then the email provider and the app have separate authentication between themselves. If the app is then compromised, its permissions can be cancelled separately, and doesn’t compromise your account except to the extent of the permissions you gave it.
This. The OP seems to be down the common road that ‘all email is the same, right?’ - when GMail, for the vast number of users, is a web app completely controlled by Google and requiring only an HTTPS connection outside their sphere.
Outlook, Thunderbird et al. are applications not under Google’s control that users can allow access to the sensitive core of GMail, and thus cause endless headaches not only for the unwary (or stupid) users, but for Google and other users as well.
But yeah - not as much NIH as “Not THOSE Guys Again.”
No the people at google look at the security protocols in use, and decide if they match high medium or low… so if the external app requires the lower security, then it does…
But hmm, it may be because hotmail would allow a low security protocol like POP or HTTP plain text passwords, and so they consider all hotmail at that security level…
leahcim was correct. It’s not the Security Protocols (SSL, TLS, RSA etc) that Google is worried about, it’s the authentication protocol. Specifically, they want to be able to tie the authentication to a specific Application (Outlook) on a specific device (my phone) and a specific user (me).
The work-around is that Google will give you a separate login name and password to use with Outlook. Also, they can send you an SMS for you to reply to, before letting that name and password be used from a different location.
MS does have, and did have, equivalent protocols to do that, but they never became widely adopted, partly because, you know, MS is evil, and you wouldn’t want MS to know what device you are using and where you are.
Intel did have an attempt(last century) to put ID numbers into processors, partly so that the device could be identified for authentication, like your iPhone or Android, but that was knocked back by the Europeans, partly because, you know, Intel and MS are evil, and you wouldn’t want your phone/mail supplier to know who you really are.
!! Tell me more. I have no idea, frankly, what this is. So then I set up mirrors on that account? Everybody knows my address from years back.
Also, about the authentication and its “lack of credentials.” So, to sort of repeat: the no doubt legions and legions of people who use Outlook with a Gmail server are at higher risk of … I don’t know what…?
Because you use lots of different services from different people (SDMB, Facebook, Twitter, Gmail, whatever), you have to remember a lot of passwords, and you’re logging in all the time over and over again.
So for the 30 years or so, people have been working on “single login” systems.
A problem with “single login” systems (and the problem with using the name and password on everything), is that once an attacker is in, they are in to everything. And if everything includes your banking details and irreplaceable photographs, that can be a problem.
Google calls this a “security” problem: we can call it what we will. Google has some methods to mitigate this “security” problem:
They don’t pass the name and password back and forth. It’s encoded once, and that value is used (encrypted) for one application: it can’t be decoded to get the name and password back for any other use.
2)Each encoded login is only valid for one application: your encoded banking login can’t be used for mail or youtube.
3)They use up-to-date encryption to protect your transactions (mail).
Applications that don’t have all these three features don’t have a security problem: you might have a security problem if one, or more importantly several, of the applications you use, don’t have these three features.
Your “security” problem is that if, somehow, someone gets the name and password you are using, you don’t want them to get into everything you own. Google’s solution for this “security” problem is to give you a separate login for Outlook/gMail. At least this is invisible, because you never look at your Outlook/gMail login once you save it into Outlook.
So: Outlook doesn’t have a significant identified security problem: rather, users who use the same name and password for everything have an important identified security problem, Google has their own solution for this problem that they want everyone to use, products that don’t use the Google solution for talking to Google are identified as insecure.
Google’s “solution” to the “problem” (ref Melbourne’s excellent post just above) is like this:
You would have two different usernames and passwords. They both go to the same gmail account and to the exact same email box(es). Nobody needs to learn a new email address for you.
You (the live human) use one username and password to log into your Google account via your browser. That shows you your email, your cloud documents, your social media, and all the other G-whatever stuff that Google wants to sell you.
You configure your Outlook to use the other username and password to connect to your Google account. That username is limited to seeing your Gmail inbox and that’s it. It can’t see any of your other G-whatever content.
That’s it. No more complicated than that.
The “benefit” (almost totally theoretical IMO) is that if some bad guy puts spyware into your Outlook, or if a bug in Outlook provides an exploit that an evil email uses to capture the username and password from Outlook, then the username and password they capture can only be used to impersonate you to access your email, not to dig around in all the rest of your G-whatever content.
That’s all there is to it. IMO it’s about 99% Neener neener, our way is better than your way, and about 1% real tech issue. It’s mostly about making it more difficult for a user to use a mix of apps from different vendors versus simply doing everything Google’s way all the time.
It is incorrect to call OAuth2 “the Google Solution” – it is an open standard developed as a collaboration between a number of internet companies, and is implemented by a wide range of services, including a number of Microsoft’s own.
If the Outlook App does not support OAuth2, then it is a weakness of the app, not merely “doesn’t do it Google’s way”.
No, it’s a weakness in Outlook that they use a proprietary system of MS Passport instead of something everyone uses like OAuth2. You seem to be fundamentally not understanding the issue.
Since Outlook is not just for Microsoft accounts, it should support other methods that might actually be used by other websites. Otherwise, it will be less secure on those accounts. That makes is a security issue.
On the other hand, running a proprietary security system besides your own on your own servers is always less secure, since you are not capable of controlling it and making sure there aren’t any problems.
That’s the point of open standards for security. They can easily propagate to other places without having to trust the authors of the proprietary system.
Outlook is less secure on Gmail than those clients that support OAuth2. It is only comparable in security on Microsoft accounts.