Google Blogoscoped

Forum

Calgoo Google Calendar Add-on  (View post)

Razvan Antonescu [PersonRank 2]

Wednesday, August 23, 2006
17 years ago6,811 views

Weird my nod32 antivirus detected a worm in the archive...anyone else can confirm?

Tony Ruscoe [PersonRank 10]

17 years ago #

<< The more important problem to me however is that they request me to enter my Google Calendar user name/ password – I won’t do that, no matter how much I have reason to trust the company. >>

Hmmm. I've not had chance to try this yet and to be honest, if what you say is true I probably won't bother.

If Google release an API and expect people to use it, they should offer some kind of authentication process that doesn't rely on your entering your usual Google Account login details into third party applications. There are a few ways they could do this but I guess all would be open to abuse.

Ionut Alex. Chitu [PersonRank 10]

17 years ago #

Tony sez:
If Google release an API and expect people to use it, they should offer some kind of authentication process...

They do. http://code.google.com/apis/accounts/AuthForInstalledApps.html

Tony Ruscoe [PersonRank 10]

17 years ago #

Tony also sez:

<< ...that doesn't rely on your entering your usual Google Account login details into third party applications. >>

The sample requests shown in the page you're referring to include the user's full email address and password – and that's where the problem is.

Sohil [PersonRank 10]

17 years ago #

Neat. It would be nice if Google released a sync for Outlook or Sunbird.

Ionut Alex. Chitu [PersonRank 10]

17 years ago #

Yes, Tony, but if the app uses Google's authentication API the username / password never go to the application.

"With programmatic login implemented, an application's user can log into their Google account from inside the application. The application then contacts Google with the login data and requests access to a specified Google service, such as Calendar. Once access is authorized, the user can create, read, update, or delete data as needed using the application interface.

Programmatic login and authentication is a big step up from the "low-tech" approach, which is to simply include the user's login name and password in every request to Google. With programmatic login, Google supplies the application with a token that can referenced in all requests instead of login data."

Tony Ruscoe [PersonRank 10]

17 years ago #

One of us is misunderstanding how this works then. Here's how I think it works:

The user enters their Google Accounts username and password into the application, which then gets sent to Google for authentication – but only once. After that, because "programmatic login" is being used, the application doesn't need to "include the user's login name and password in every request to Google" and can send the token instead. (Note: it *did* need to include their details in the first request in order to get the token though.)

I might be wrong, but how else would the user be able to "log into their Google account from inside the application" ... ?

Niraj Sanghvi [PersonRank 10]

17 years ago #

I think Tony's right. From the example in that link, it is the application that forms the request and sends it to Google for authentication. So there's no guarantee the application doesn't also capture the data and store it somewhere.

The mere fact that you're logging in from an application rather than Google means there's a potential for whatever information you provide to get misused. You'd have to really trust the site to use this feature.

Philipp Lenssen [PersonRank 10]

17 years ago #

I understood it like this. You have a webpage as developer. You trigger the Google Login through some link or button. Then the user ends up on Google.com. As "something.google.com" shows in the address bar the user can trust this login. Afterwards, Google redirects back to your developer webpage. You and Google now both have the same token to authenticate the user.

I don't know how this "trust" can be earned in a desktop application, as I don't see an address bar (or if I would see one, I wouldn't trust it).

I installed Calgoo, and after starting the program and entering your Calgoo username and password, the dialog – on their desktop app – asks me to enter my Google Calendar username and password (the same password that can be used to access my emails, my search history etc.).

But I don't know if I understood it right!

Philipp Lenssen [PersonRank 10]

17 years ago #

> You'd have to really trust the site to use this feature.

And you have to trust every programmer who works at that company, and you have to trust every *future* programmer who will work at that company, with access to the code or databases.

Ionut Alex. Chitu [PersonRank 10]

17 years ago #

I've got an idea. What if Google allowed you to create a temporary password you could use, let's say 5 mins and only for a single service. The app would log in with that pass, would receive a token and use that token from now on.

What would be the flaws here?

Jason Schramm [PersonRank 5]

17 years ago #

This is the kind of program I need, but I don't feel comfortable handing over the keys to my account.

Ken Kuhl [PersonRank 7]

17 years ago #

> "And you have to trust every programmer who works at that company, and you have to trust every *future* programmer who will work at that company, with access to the code or databases."

This doesn't only apply to third-party apps/companies. It also applies Google. Google's employees (or at least some of them) have access to the code and/or user databases, too.

I realize that Google seems more trustworthy than some new company with a third-party app, but why. Trust of this kind comes down to one person, not a whole company. It wouldn't be Google or Calgoo (or some other 3rd party) that would abuse your information, it would be the one bad person who worked for them. And is it really more likely that the bad person would work at Calgoo (or the like)? Google employs thousands more people.

I guess I'm just not clear why everyone blindly trusts Google with their info, but not other companies? Where do you draw the line? How do you decide who to trust: company size, number of employees, number of users, number of news articles about the product, stock price?

(I realize there is also the question of network security, which Google would usually be more competent at, but I'm thinking specifically about employees as Philipp mentioned.)

Saulius [PersonRank 0]

17 years ago #

My nod32 antivirus also found win32/VB.NEI worm in the self extracting archive

Philipp Lenssen [PersonRank 10]

17 years ago #

I know Google has my information, so that's the one compromise I'm making, but I don't want to hand out the same info to third parties. I mean I know a Google employee can read my mail if they want to. I believe Google has some measurements in place to avoid that any of the thousands of employees actually can do that, but in theory, yeah, they can read my mail. Of course, we judge Google by their past behavior... if ever they screw up like AOL did recently, we might adjust our approach...

Niraj Sanghvi [PersonRank 10]

17 years ago #

Actually, Philipp's description (exiting to a Google page and then re-entering with authentication) is what I remember originally reading, and applies to web applications. The example above was for installed apps, where they appear to pass the credentials to Google via a POST.

The former method makes sense, and would effectively give you temporary access as Ionut suggested that would only last as long as your single session.

Support at Calgoo [PersonRank 1]

17 years ago #

The issue of your Google Calendar login is something that we at Calgoo have wrestled with as well. Our application needs to be able to communicate with your GCal in order to function. A key aspect of our strategy is that Calgoo is a desktop based app, so your machine speaks with your Google Calendar and stores your data locally. When Calgoo asks for your GCal credentials they are stored on your computer and your computer only. We are a serious company and our reputation and your security is very important to us.

We have started a dialogue with Google and will be discussing the alternative options with them. If anyone wants to chat with us about this please feel free to contact us via the blog on our website www.calgoo.com

Support at Calgoo [PersonRank 1]

17 years ago #

Just to let everyone know, we did verify that NOD triggers on our install kit, MacAffee sometimes does as well, but no others that we have used. We found the content that tripped the switch and happily discovered that the 3rd party that provided the offending library had already cleaned that content out (a little quietly for our liking). The content does not trigger NOD or MacAffee at runtime, so running Calgoo does not put you at risk. We appreciate the feedback and are updating our download so that we don't worry any more users.

Thanks to everyone who noticed and took the time to post

Richard Frisch [PersonRank 0]

17 years ago #

I registered, installed and began to use Calgoo until it got to asking for my gmail information. I recognize that this information is necessary for Calgoo to communicate with gCal but it looked like I had to send this information to Calgoo, which I will not knowingly do! I then aborted and uninstalled the application.

I registered the program and gave you my email. That should be sufficient for me to try the program. Why do I have to log-in to Calgoo to use the application? If I have to log-in I won't use it. Thought you'd like to know that your algorithm fails me from a privacy and security viewpoint. I will not use it as currently designed. I will not advise anyone else to try it. I will advise others to stay away. I am not trying to be harsh. This is just to provide you with my feedback.

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!