Mailing list reminder: password is sent in the clear
mikesamuel at gmail.com
Fri Jul 1 11:50:53 PDT 2011
2011/7/1 Mike Shaver <mike.shaver at gmail.com>:
> On Fri, Jul 1, 2011 at 2:30 PM, Mike Samuel <mikesamuel at gmail.com> wrote:
>> 2011/7/1 Mike Shaver <mike.shaver at gmail.com>:
>>> What can someone do with that password, though? Just change your
>>> subscription settings, afaik, so the security in place seems proportionate.
>>> Could report it upstream to the mailman team, I suppose.
>> Use it to do a better job of impersonating. Try it out on other sites.
> I don't understand how you could impersonate better, could you
> explain? You can send mail with any From: you want without bothering
> to go through someone's mailman account, and you can't even send mail
> from the mailman interface!
> Since mailman passwords are randomly generated at subscription time
> (and virtually never changed), password reuse is pretty unlikely.
Can't a mailman account holder associate a public key with a mailman instance?
Obviously, few email recipients check public keys, but to the degree
that mailman facilitates public key exchange and signed email, being
able to change a public key means being able to impersonate.
More information about the es-discuss