Mailing list reminder: password is sent in the clear

Mike Shaver mike.shaver at gmail.com
Fri Jul 1 11:36:13 PDT 2011


On Fri, Jul 1, 2011 at 2:30 PM, Mike Samuel <mikesamuel at gmail.com> wrote:
> 2011/7/1 Mike Shaver <mike.shaver at gmail.com>:
>> What can someone do with that password, though? Just change your
>> subscription settings, afaik, so the security in place seems proportionate.
>>
>> Could report it upstream to the mailman team, I suppose.
>
> Use it to do a better job of impersonating.  Try it out on other sites.

I don't understand how you could impersonate better, could you
explain?  You can send mail with any From: you want without bothering
to go through someone's mailman account, and you can't even send mail
from the mailman interface!

Since mailman passwords are randomly generated at subscription time
(and virtually never changed), password reuse is pretty unlikely.

Mike


More information about the es-discuss mailing list