What considerations should privacy-minded people take into account to make this decision?
For context, I’m using FairEmail because K-9 doesn’t seem to be able to move to a desired folder multiple emails at a time. K-9 doesn’t use OAuth, so I don’t have a choice to make there.
However, FairEmail does use OAuth. And, when reading about OAuth, it apparently is safer than the alternative. This alternative is either using the main account (with no 2FA) or using an app-specific password (with 2FA activated).
Hearing this, it would be a no-brainer for me to choose the OAuth, but the issue is that Google only lets you do OAuth if the app is downloaded from the Google Play Store and if the account is set up as a phone-wide account. Ouch.
And yet I wonder if the security of OAuth is so much greater that I should forget about the alternative.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
This only doesn’t work while you’re in the “Unified Inbox”-view. You could be selecting mails from different accounts, so it can’t really just move mails in bulk. I guess, it could handle that more gracefully, but that’s the reason why they haven’t implemented it in that view.
And, I’m not informed enough about OAuth to have a true opinion, but this feels like the old “X is safer, if you don’t consider $BIGCORP an attack vector”.
And yeah, I’m always cautious with that, since a lot of these opinions come from the US, which don’t have privacy standards to begin with, and will only really have their own intelligence agencies (NSA, CIA, FBI) ruffle through their data, and of course because many US-Americans are a bit too supportive of their regional monopolists.
Obvious things first: afaik mostly google and microsoft hosted mailservers have oauth for imap, for privacy-minded people both should be a no-go. Also if you use the same phone as a second factor, 2FA is only of very limited use.
Assuming you use an encrypted connection (use a dedicated tls-only port, not starttls!) to your mailserver, there is no practical difference between the “traditional” user:password-type authentication mechanisms, so you won’t really need to assess those seperately. Oauth may be conceptionally safer if you use 2FA, but it adds a lot of complexity, expanding the attack surface so it’s kind of a trade of.