Carl Hutzler’s Blog

http://journals.aol.com/godwinbabu/tech/#Entry613

The above plugin for the Thunderbird email client (Windows or Mac or Linux) will let you specify that the client use the SAME password for SMTP as it does for IMAP. This is great for AOL employees as we use SecurID devices which mean that our password changes once per minute.

By using this plugin, the Thunderbird client will just use the IMAP client for the SMTP password. So as long as your IMAP session remains active (and it should if your imap client stays online), you will no longer have to enter your SMTP password to send mail constantly during the day. (if you are working >12 hours….many of us are these days!…you will have to re-auth for IMAP as the timeout for IMAP credentials is set to 12 hours)

And if you need help setting up Thunderbird and are internal, just visit the Wiki

One of my teammates (Stu Brandt) was doing some testing/exploration with RSS the other day in preparation for a project we have going to expose some mail transactions in a “web 2.0″ kind of way. The idea is to allow people access to their mailbox from a web world….like maybe their myaol page or their myyahoo page, their flickr home page, or AIM pages, etc. You get the idea. But you could also imagine people writing desktop apps like an Apple Widget to have the feed or a new browser toolbar, blah, blah.

Anyway, people kind of think of their mailbox as private, so a simple RSS syndication of everyone’s mailbox (while interesting) might piss off some folks. Some people just don’t like other people reading their mail (who would have guessed!). So we have to authenticate these feeds.

Stu was playing with Gmail’s feed for his gmail account (the feed is actually ATOM based just for correctness). During his testing of the gmail feed, he went to a website called Bloglines which is essentially a feed aggregator which allows people to aggregate a bunch of RSS feeds from blogs, news sites, etc into a single page much like MyAOL does. He entered the Gmail URL into the site and found something interesting. The bloglines site displayed someone else’s gmail inbox!

Screenshot

Its not completely obvious what is happening here, but this is what we thought was going on:

Likely the other gmail user (Chavescesures@gmail.com) added their inbox Atom feed to their bloglines screen at some point in time. Bloglines likely has a very well architected and efficient caching system to prevent them from hammering feeds for popular sites and maybe this caching was the issue? But the interesting thing is that their system somehow did not take into account that the same feed URL (in this case it is https://mail.google.com/mail/feed/atom) might result in different results due to authentication and not be something they want to cache. Usually an https would signify that, so I have to admit being a bit confused how bloglines could be broken like this. Or perhaps it is just a big nasty bug in the bloglines system?

Either way, it does give oneself pause as to whether you should ever give your name/password to a third party site for things like this or related. If that site is not secure, neither are you.