Mailing list reminder: password is sent in the clear

Mike Shaver mike.shaver at gmail.com
Fri Jul 1 12:00:57 PDT 2011


On Fri, Jul 1, 2011 at 2:50 PM, Mike Samuel <mikesamuel at gmail.com> wrote:
> 2011/7/1 Mike Shaver <mike.shaver at gmail.com>:
>> On Fri, Jul 1, 2011 at 2:30 PM, Mike Samuel <mikesamuel at gmail.com> wrote:
>>> 2011/7/1 Mike Shaver <mike.shaver at gmail.com>:
>>>> What can someone do with that password, though? Just change your
>>>> subscription settings, afaik, so the security in place seems proportionate.
>>>>
>>>> Could report it upstream to the mailman team, I suppose.
>>>
>>> Use it to do a better job of impersonating.  Try it out on other sites.
>>
>> I don't understand how you could impersonate better, could you
>> explain?  You can send mail with any From: you want without bothering
>> to go through someone's mailman account, and you can't even send mail
>> from the mailman interface!
>>
>> Since mailman passwords are randomly generated at subscription time
>> (and virtually never changed), password reuse is pretty unlikely.
>
> Can't a mailman account holder associate a public key with a mailman instance?

Not in stock mailman (http://www.gnu.org/s/mailman/features.html), but
there is a fork which permits it, I think.

Mike


More information about the es-discuss mailing list