Hi all,
I just got this email from bugzilla. Apparently Google Apps has screwed up something again so the message itself doesnt annoy me, but why are the users' passwords still sent in CLEARTEXT in these days?? Can someone (tm) of the mailman admins or tech guys please fix this up?
Thanks, Marco
On Wed, Feb 10, 2010 at 2:47 PM, wikitech-l-request@lists.wikimedia.orgwrote:
Your membership in the mailing list Wikitech-l has been disabled due to excessive bounces The last bounce received from you was dated 10-Feb-2010. You will not get any more messages from this list until you re-enable your membership. You will receive 3 more reminders like this before your membership in the list is deleted.
To re-enable your membership, you can simply respond to this message (leaving the Subject: line intact), or visit the confirmation page at
https://lists.wikimedia.org/mailman/confirm/wikitech-l/dfe03c58a0a1fe2.....https://lists.wikimedia.org/mailman/confirm/wikitech-l/dfe03c58a0a1fe2700f74689430fa846e36fbcdb
You can also visit your membership page at
https://lists.wikimedia.org/mailman/options/wikitech-l/marco%40harddisk.is-a...
On your membership page, you can change various delivery options such as your email address and whether you get digests or not. As a reminder, your membership password is
<blanked>
If you have any questions or problems, you can contact the list owner at
wikitech-l-owner@lists.wikimedia.org
On 02/10/2010 08:49 PM, Marco Schuster wrote:
Hi all,
I just got this email from bugzilla. Apparently Google Apps has screwed up something again so the message itself doesnt annoy me, but why are the users' passwords still sent in CLEARTEXT in these days?? Can someone (tm) of the mailman admins or tech guys please fix this up?
Thanks, Marco
The point of the password is so you can prove to the web interface that you own the email address; so the fact that it is in your email box doesn't matter much. (If your email gets hacked this is the last thing you're likely to be worried about after all.) As it says on sign up "do not use a valuable password".
As far as I'm aware there's no flag to modify this behaviour, so any local fixes would have to be hacks to mail-man. As I'm sure you can't be the only one who wants this fixed, I recommend you try and contact the mail-man folk directly.
Conrad
On 10 February 2010 21:00, Conrad Irwin conrad.irwin@googlemail.com wrote:
The point of the password is so you can prove to the web interface that you own the email address; so the fact that it is in your email box doesn't matter much. (If your email gets hacked this is the last thing you're likely to be worried about after all.) As it says on sign up "do not use a valuable password".
It doesn't require your email to be hacked, though. There is no security in the email system, they can be intercepted at any point.
On 02/10/2010 09:15 PM, Thomas Dalton wrote:
On 10 February 2010 21:00, Conrad Irwin conrad.irwin@googlemail.com wrote:
The point of the password is so you can prove to the web interface that you own the email address; so the fact that it is in your email box doesn't matter much. (If your email gets hacked this is the last thing you're likely to be worried about after all.) As it says on sign up "do not use a valuable password".
It doesn't require your email to be hacked, though. There is no security in the email system, they can be intercepted at any point.
In which case so could the password reset emails. It gains you nothing.
Conrad
Conrad Irwin writes,
The point of the password is so you can prove to the web interface that you own the email address; so the fact that it is in your email box doesn't matter much. (If your email gets hacked this is the last thing you're likely to be worried about after all.) As it says on sign up "do not use a valuable password".
The problem with a cleartext password in email isn't that your email might get hacked. It's that each device with access to the network path from list server to mail server and mail server to email client has access to the password. Search the net for "password sniffer" for more information.
In which case so could the password reset emails. It gains you nothing.
Password reset tokens or URLs are generally designed to be used one time, and then they expire. The user generally uses it within a few minutes of initiating the password reset, preventing any later use of it.
On the other hand, sending a user's password through the mail exposes it to being logged for later use. For a security-conscious user, it effectively spoils its use forever.
I agree that you shouldn't use a valuable password with Mailman, and that the Mailman project is the right place to ask for a change in Mailman's behavior.
Pete
Marco Schuster wrote:
Hi all,
I just got this email from bugzilla. Apparently Google Apps has screwed up something again so the message itself doesnt annoy me, but why are the users' passwords still sent in CLEARTEXT in these days?? Can someone (tm) of the mailman admins or tech guys please fix this up?
https://bugs.launchpad.net/mailman/+filebug
-- Tim Starling
Tim Starling writes,
Thanks, Tim.
After a quick look at the bug tracker and other docs, I can say the issue had been reported long ago (at least a decade), and was on its way to getting fixed a couple of years ago in Mailman 2.2. However, I'm not sure that 2.2 ever made it out. (Wikitech-l is currently running on Mailman 2.1.9; the latest release looks to be 2.1.13.)
The good news: the problem has been fixed in Mailman 3.0: "Get rid of password reminders altogether. Encrypt member passwords and use a password reset feature instead of a reminder. (Done)"
The bad news: Mailman 3.0 is in alpha release right now -- probably not ready to use yet. Though it is currently under active development, so maybe sometime relatively soon.
References:
Bug #266390 in GNU Mailman: “Storing of passwords” https://bugs.launchpad.net/mailman/+bug/266390
SourceForge.net: Mailman: Detail: 209499 - Security hole: passwords mailed in clear http://sourceforge.net/tracker/index.php?func=detail&aid=209499&grou...
Milestones : GNU Mailman https://launchpad.net/mailman/+milestones
Mailman 3.0 - Development - Confluence http://wiki.list.org/display/DEV/Mailman+3.0
Pete
wikitech-l@lists.wikimedia.org