Discuss
  • Mailing list reminder: password is sent in the clear

Mailing list reminder: password is sent in the clear

# Axel Rauschmayer (14 years ago)

Can this be fixed? I’ve already sent feedback, but didn’t get a response.

Preferably, passwords would also be encrypted for storage.

# André Bargull (14 years ago)

Log-in at [1] and remove the option to send a monthly password remainder?

Get password reminder email for this list?

Once a month, you will get an email containing a password reminder for every list at this host to which you are subscribed. You can turn this off on a per-list basis by selecting /No/ for this option. If you turn off password reminders for all the lists you are subscribed to, no reminder email will be sent to you.

[1] mail.mozilla.org/options/es

# Axel Rauschmayer (14 years ago)

That’s a good start, thanks. Still find it a bit scary that there’s no encryption.

# Mike Shaver (14 years ago)

What can someone do with that password, though? Just change your subscription settings, afaik, so the security in place seems proportionate.

Could report it upstream to the mailman team, I suppose.

Mike On Jul 1, 2011 10:09 AM, "Axel Rauschmayer" <axel at rauschma.de> wrote:

That’s a good start, thanks. Still find it a bit scary that there’s no

encryption.

On Jul 1, 2011, at 16:07 , André Bargull wrote:

Log-in at [1] and remove the option to send a monthly password remainder?

Get password reminder email for this list? Once a month, you will get an email containing a password reminder for

every list at this host to which you are subscribed. You can turn this off on a per-list basis by selecting No for this option. If you turn off password reminders for all the lists you are subscribed to, no reminder email will be sent to you.

[1] mail.mozilla.org/options/es-discuss

Can this be fixed? I’ve already sent feedback, but didn’t get a

response.

# Mike Samuel (14 years ago)

2011/7/1 Mike Shaver <mike.shaver at gmail.com>:

What can someone do with that password, though? Just change your subscription settings, afaik, so the security in place seems proportionate.

Could report it upstream to the mailman team, I suppose.

Use it to do a better job of impersonating. Try it out on other sites.

# Mike Shaver (14 years ago)

On Fri, Jul 1, 2011 at 2:30 PM, Mike Samuel <mikesamuel at gmail.com> wrote:

2011/7/1 Mike Shaver <mike.shaver at gmail.com>:

What can someone do with that password, though? Just change your subscription settings, afaik, so the security in place seems proportionate.

Could report it upstream to the mailman team, I suppose.

Use it to do a better job of impersonating.  Try it out on other sites.

I don't understand how you could impersonate better, could you explain? You can send mail with any From: you want without bothering to go through someone's mailman account, and you can't even send mail from the mailman interface!

Since mailman passwords are randomly generated at subscription time (and virtually never changed), password reuse is pretty unlikely.

Mike

# Mike Samuel (14 years ago)

2011/7/1 Mike Shaver <mike.shaver at gmail.com>:

On Fri, Jul 1, 2011 at 2:30 PM, Mike Samuel <mikesamuel at gmail.com> wrote:

2011/7/1 Mike Shaver <mike.shaver at gmail.com>:

What can someone do with that password, though? Just change your subscription settings, afaik, so the security in place seems proportionate.

Could report it upstream to the mailman team, I suppose.

Use it to do a better job of impersonating.  Try it out on other sites.

I don't understand how you could impersonate better, could you explain?  You can send mail with any From: you want without bothering to go through someone's mailman account, and you can't even send mail from the mailman interface!

Since mailman passwords are randomly generated at subscription time (and virtually never changed), password reuse is pretty unlikely.

Can't a mailman account holder associate a public key with a mailman instance? Obviously, few email recipients check public keys, but to the degree that mailman facilitates public key exchange and signed email, being able to change a public key means being able to impersonate.

# Mike Shaver (14 years ago)

On Fri, Jul 1, 2011 at 2:50 PM, Mike Samuel <mikesamuel at gmail.com> wrote:

2011/7/1 Mike Shaver <mike.shaver at gmail.com>:

On Fri, Jul 1, 2011 at 2:30 PM, Mike Samuel <mikesamuel at gmail.com> wrote:

2011/7/1 Mike Shaver <mike.shaver at gmail.com>:

What can someone do with that password, though? Just change your subscription settings, afaik, so the security in place seems proportionate.

Could report it upstream to the mailman team, I suppose.

Use it to do a better job of impersonating.  Try it out on other sites.

I don't understand how you could impersonate better, could you explain?  You can send mail with any From: you want without bothering to go through someone's mailman account, and you can't even send mail from the mailman interface!

Since mailman passwords are randomly generated at subscription time (and virtually never changed), password reuse is pretty unlikely.

Can't a mailman account holder associate a public key with a mailman instance?

Not in stock mailman (www.gnu.org/s/mailman/features.html), but there is a fork which permits it, I think.

Mike