[sudo-workers] lack of mailling list security
erh+sudo at nimenees.com
Thu May 1 16:50:59 EDT 2008
On Thu, May 01, 2008 at 01:22:13PM -0400, Todd C. Miller wrote:
> In message <20080501155127.GA2073 at nimenees.com>
> so spake Eric Haszlakiewicz (erh+sudo):
> > Does anyone else fine it ironic that a mailing list for a very security
> > oriented program sends out everyone's passwords in plain text emails?
> This is really no less secure than interacting with a mailing list
> manager by sending a tokens back and forth in plain text. If you
> can sniff the traffic and want to subscribe/unsubscribe someone
> from a list you could the same thing.
It is MUCH less secure because actual passwords provide more information
than a random key. Many people use the same (or similar) password on
multiple websites. Given that, it's rather irresponsible to be sending
their passwords in plaintext.
On the other hand, I just looked at the sign up form, and there's a clear
warning there about this, so for those people that care, they can choose
a password that doesn't relate to anything else. Of course, I still think
it's better to be more secure by default, rather than depending on the
person signing up to do the right thing.
> > Logging into the website isn't all that secure either. The certificate
> > for the site is for a completely different hostname, but it doesn't matter
> > because even if you type in "https", the form on that page _forces_ you
> > back to a non-SSL login.
> The cert is for the "real" name of the web server. I suppose I
> could add a separate cert for each vhost, though that won't solve
> the problem where mailman directs you to an http page.
I don't think you can do that if you're using vhosts. By the time
the web server figures out which site you're accessing, a secure connection
must already have been set up. oh well, I guess you can't fix this.
Fixing the login should be as simple as making the action on that form
be a relative url, or hard coding it to https://hostname/....
At the very least, I think the login form should have a warning saying
that it isn't secure, like the signup page does.
More information about the sudo-workers