[sudo-workers] lack of mailling list security

Eric Haszlakiewicz erh+sudo at nimenees.com
Thu May 1 16:50:59 EDT 2008

On Thu, May 01, 2008 at 01:22:13PM -0400, Todd C. Miller wrote:
> In message <20080501155127.GA2073 at nimenees.com>
> 	so spake Eric Haszlakiewicz (erh+sudo):
> > Does anyone else fine it ironic that a mailing list for a very security 
> > oriented program sends out everyone's passwords in plain text emails?
> This is really no less secure than interacting with a mailing list
> manager by sending a tokens back and forth in plain text.  If you
> can sniff the traffic and want to subscribe/unsubscribe someone
> from a list you could the same thing.

It is MUCH less secure because actual passwords provide more information
than a random key.  Many people use the same (or similar) password on
multiple websites.  Given that, it's rather irresponsible to be sending
their passwords in plaintext.
On the other hand, I just looked at the sign up form, and there's a clear
warning there about this, so for those people that care, they can choose
a password that doesn't relate to anything else.  Of course, I still think
it's better to be more secure by default, rather than depending on the
person signing up to do the right thing.

> > Logging into the website isn't all that secure either.  The certificate
> > for the site is for a completely different hostname, but it doesn't matter 
> > because even if you type in "https", the form on that page _forces_ you 
> > back to a non-SSL login.
> The cert is for the "real" name of the web server.  I suppose I
> could add a separate cert for each vhost, though that won't solve
> the problem where mailman directs you to an http page.

	I don't think you can do that if you're using vhosts.  By the time
the web server figures out which site you're accessing, a secure connection
must already have been set up.  oh well, I guess you can't fix this.

 Fixing the login should be as simple as making the action on that form
be a relative url, or hard coding it to https://hostname/....
 At the very least, I think the login form should have a warning saying 
that it isn't secure, like the signup page does.


More information about the sudo-workers mailing list