nanog mailing list archives

Re: it's mailman time again

From: Aaron de Bruyn via NANOG <nanog () nanog org>
Date: Sat, 2 Sep 2023 15:04:05 +0000

I donno Rich...a couple of decades ago I lost my Slashdot account because someone was able to access it.
I used the password in two places...Slashdot and all the blasted mailman instances I was signed up with.

To this day, I still use the same password on all my mailman subscriptions because I consider mailman insecure for 
emailing out passwords. I just obviously don't use the password anywhere else. So you're right that all anyone can do 
is unsubscribe me from something...which isn't a big deal, but it makes me wonder just how many people have terrible 
mailman passwords and maybe use them elsewhere...and wouldn't report a compromise because...well...it'd make me look 
stupid. 😉

Ignoring all of that—it's just a horrible practice to not encrypt passwords and to email them out. You don't really 
even need a mailman password. You just put in your email address and hit 'unsubscribe'...and it'll send you a link to 
click as authorization...so why not drop passwords altogether and just reply on click-to-authorize? Or just encrypt the 
passwords and have a "forgot password" click-to-reset like every other app on the planet?

-A

On Sat Sep 2, 2023, 07:57 AM GMT, Rich Kulawiec <mailto:rsk () gsp org> wrote:

On Fri, Sep 01, 2023 at 10:16:05AM -0700, Randy Bush wrote:

and i just have to wonder about sending passords over the net in
cleartext in 2023. really?


This is a non-issue.

Given that pretty much every SMTP connection is encrypted and that
the worst thing that an attacker in possession of one of your Mailman
passwords can do is unsubscribe you (in which case you and the list
manager will be notified, and you can solve the problem quite rapidly),
no, this isn't a problem that anyone needs to worry about.

I've run (and am running) a lot of mailing lists with Mailman including
some large-ish ones for what's now approaching 20 years. The scenario
above has never happened. Nobody's even tried, which isn't surprising
given that such an attack is increasingly difficult and yields little,
if any, benefit to the attacker. Moreover, any hypothetical attacker
possessing the resources and expertise required to pull this off could
certainly find far more effective things to do.

---rsk

Current thread:

it's mailman time again Randy Bush (Sep 01)
- Re: it's mailman time again Grant Taylor via NANOG (Sep 01)
- Re: it's mailman time again Rubens Kuhl (Sep 01)
- Re: it's mailman time again Jim Popovitch via NANOG (Sep 01)
- Re: it's mailman time again Rich Kulawiec (Sep 02)
  - Re: it's mailman time again Aaron de Bruyn via NANOG (Sep 02)
    - Re: it's mailman time again John Levine (Sep 02)
  - Re: it's mailman time again John Levine (Sep 02)
    - Re: it's mailman time again Jim Popovitch via NANOG (Sep 02)
    - Re: it's mailman time again Randy Bush (Sep 02)
    - Re: it's mailman time again Richard Porter (Sep 02)
    - Re: it's mailman time again J. Hellenthal via NANOG (Sep 03)