[Announce] Mailman passwords

Werner Koch wk at gnupg.org
Thu Feb 1 09:23:13 CET 2001


Good Morning!

I got a lot of mail with the tenor "It is funny that a mailing list
dedicated to email security sends out passwords in the clear".

The new mailing list software Mailman choosed to name there access
cookies "passwords".  However, the primary use of those passwords is
to be able to unsubscribe from the list and manage options, like
"send password reminder".  The goal of the password is to make an
unsubscribe attack somehat harder to mount; about all mailing list
software uses a similar technique to do that and those cookies are
also send in the clear.

IIRC, there used to be a long discussion on the Mailman developers
list about that issue a long time ago.  You should be able to use
Mailman driven list without the need for special software (e.g.
gpg), so that very simple password thingie is something every user
can understand.  

If it really turns out to be a problem, I can see how I can allocate
some time to setup a https server for your ML management tasks and
disable the password reminders.  That would be an advantage for me
too, because currently I have to use Lynx on the shell of the server
for the admin tasks.

  Werner


-- 
Werner Koch                                              <wk at gnupg.org>
GNU Privacy Guard                                (http://www.gnupg.org)
Free Software Foundation Europe              (http://www.fsfeurope.org)
           [Please see X-* mail header for OpenPGP key info]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 233 bytes
Desc: not available
Url : /pipermail/attachments/20010201/751e311a/attachment.pgp


More information about the Gnupg-announce mailing list