[Announce] Mailman passwords

Dan Harkless gnupg@dilvish.speed.net
Fri Feb 2 01:33:07 2001


Werner Koch <wk@gnupg.org> writes:

> The new mailing list software Mailman choosed to name there access
> cookies "passwords". However, the primary use of those passwords is
> to be able to unsubscribe from the list and manage options, like
> "send password reminder".
It wouldn't bother me too much if the passwords were only sent on request. It's the forced monthly reminders that seem gratuitous and very poor security-wise.
> The goal of the password is to make an
> unsubscribe attack somehat harder to mount; about all mailing list
> software uses a similar technique to do that and those cookies are
> also send in the clear.
Most mailing list software mails you a unique generated cookie only when you ask to be unsubscribed, and then you have to send that back. So the attackers has to be a current MITM. With these passwords an attacker can grab it once (whether from disk, network sniffing, or whatever) and use it to mess with you in the future.
> IIRC, there used to be a long discussion on the Mailman developers
> list about that issue a long time ago. You should be able to use
> Mailman driven list without the need for special software (e.g.
> gpg), so that very simple password thingie is something every user
> can understand.
Even if that were a reasonable default (which I don't think it is), that's not a reason they couldn't have more secure and more complicated systems turned on as an option. -- Dan Harkless SpeedGate Communications, Inc.