[Announce] Mailman passwords
Dan Harkless
gnupg@dilvish.speed.net
Fri Feb 2 01:33:07 2001
Werner Koch <wk@gnupg.org> writes:
> The new mailing list software Mailman choosed to name there access
> cookies "passwords". However, the primary use of those passwords is
> to be able to unsubscribe from the list and manage options, like
> "send password reminder".
It wouldn't bother me too much if the passwords were only sent on request.
It's the forced monthly reminders that seem gratuitous and very poor
security-wise.
> The goal of the password is to make an
> unsubscribe attack somehat harder to mount; about all mailing list
> software uses a similar technique to do that and those cookies are
> also send in the clear.
Most mailing list software mails you a unique generated cookie only when you
ask to be unsubscribed, and then you have to send that back. So the
attackers has to be a current MITM. With these passwords an attacker can
grab it once (whether from disk, network sniffing, or whatever) and use it
to mess with you in the future.
> IIRC, there used to be a long discussion on the Mailman developers
> list about that issue a long time ago. You should be able to use
> Mailman driven list without the need for special software (e.g.
> gpg), so that very simple password thingie is something every user
> can understand.
Even if that were a reasonable default (which I don't think it is), that's
not a reason they couldn't have more secure and more complicated systems
turned on as an option.
--
Dan Harkless
SpeedGate Communications, Inc.