[sudo-workers] lack of mailling list security
Todd C. Miller
Todd.Miller at courtesan.com
Thu May 1 13:22:13 EDT 2008
In message <20080501155127.GA2073 at nimenees.com>
so spake Eric Haszlakiewicz (erh+sudo):
> Does anyone else fine it ironic that a mailing list for a very security
> oriented program sends out everyone's passwords in plain text emails?
This is really no less secure than interacting with a mailing list
manager by sending a tokens back and forth in plain text. If you
can sniff the traffic and want to subscribe/unsubscribe someone
from a list you could the same thing.
> Logging into the website isn't all that secure either. The certificate
> for the site is for a completely different hostname, but it doesn't matter
> because even if you type in "https", the form on that page _forces_ you
> back to a non-SSL login.
The cert is for the "real" name of the web server. I suppose I
could add a separate cert for each vhost, though that won't solve
the problem where mailman directs you to an http page.
- todd
More information about the sudo-workers
mailing list