Mailing list reminder: password is sent in the clear

Mike Samuel mikesamuel at gmail.com
Fri Jul 1 11:50:53 PDT 2011


2011/7/1 Mike Shaver <mike.shaver at gmail.com>:
> On Fri, Jul 1, 2011 at 2:30 PM, Mike Samuel <mikesamuel at gmail.com> wrote:
>> 2011/7/1 Mike Shaver <mike.shaver at gmail.com>:
>>> What can someone do with that password, though? Just change your
>>> subscription settings, afaik, so the security in place seems proportionate.
>>>
>>> Could report it upstream to the mailman team, I suppose.
>>
>> Use it to do a better job of impersonating.  Try it out on other sites.
>
> I don't understand how you could impersonate better, could you
> explain?  You can send mail with any From: you want without bothering
> to go through someone's mailman account, and you can't even send mail
> from the mailman interface!
>
> Since mailman passwords are randomly generated at subscription time
> (and virtually never changed), password reuse is pretty unlikely.

Can't a mailman account holder associate a public key with a mailman instance?
Obviously, few email recipients check public keys, but to the degree
that mailman facilitates public key exchange and signed email, being
able to change a public key means being able to impersonate.


More information about the es-discuss mailing list