RE: Sourceforge sending out passwords in the clear (forwarded message from Barry A. Warsaw)

["Paul D. Robertson" <proberts () patriot net>]

On Mon, 5 Aug 2002, Barry A. Warsaw wrote:

> Perhaps.  It's an interesting idea.  Just remember that every extra
> step that people need to take to do whatever it is they want to do
> increases your administrative costs.  So again, it's a trade-off, but
> perhaps a useful one.  It would be doable in MM2.1.

I'd take the hit- if I can change it, having a more secure default (as 
Anton was requesting) makes more sense to me.  Most of my experiences have 
been with people who just can't find the unsubscribe stuff on the listinfo 
page- so far people have been pretty happy to go back and actually do it 
themselves (I won't manually unsub someone who's not e-mailing from the 
account they want unsub'd- and it seems that most of them were getting 
.forwarded so they could get their password and unsubscribe, they just 
didn't find the link.)

> You're right, I forgot to mention that.  newlist (and the MM2.1 web
> equivalent) can send out the plaintext list admin password because it
> has it right there -- it's the only place that has access to that
> password before it's scrambled and stored since the list is being
> created right there.  But there is never a `reminder' of the list
> admin password.

Right, it'd probably be good to have a warning there (we're all security 
geeks on firewall-wizards, so we tend to worry about these things to the 
point of obsession ;).)  Adding a warning would be good, having someone 
hit something other than <enter> might be more onerous and counter to the 
way people usually use the software.

> In a sense, /some/ entity has to inform the list owner of the intial
> password because the person creating the list is often not the person
> who will be admin'ing the list.  If you want to use alternative
> channels, simply use "bin/newlist -q" or (in MM2.1) turn of the
> "notify the list owner now" button in the web form.

I use it quite a bit, but only when I have some level of assurance that 
the mail is going to a mail path that I have some reasonable level of 
trust in.  Personally, I'd prefer a one-time list owner authentication 
that forced them to change it- so that a compromise didn't have longer 
ramifications </feature request>.

>     > come from folks who want to unsubscribe.  The next version will use
>     > mailback confirmations for unsubscription requests, so most users will
>     > likely never even need their passwords.
>
>     PDR> Add the ability to eaily add an unsubscribe link to the top
>     PDR> of the list page, and you'll have me owing you beers.
>
> Do you mean the listinfo page?  More than what's there?  The problem

Yep, and really I mean a specific "enter your e-mail address" link like 
the last entry box, but at the very top of the page (I understand how the 
page is organized, but a single line or two for the most missed/used 
feature would be a good thing to have by default IMO.)

> here of course is that members don't just forget their passwords, they
> also forget what address they're subscribed with. ;)  So an individual
> unsub link on a generic web page is problematic.

Actually, if the default interface just had a link to the bottom section 
"Click here to unsubscribe or change your subscription options-" it'd be a 
good thing- I used to add that manually, but it got to be a pain to 
maintain.

> Note though that MM2.1 will support various forms of personalization
> of list postings.  While it increases the load on your system and
> network, it may be appropriate for some lists and sites.  Then, each
> member can be given a footer containing the url to their personal
> login page, which has a big unsub button on it.

It'll be interesting to see the difference in delivery time, that's 
probably worthwhile for most installations.  

>     PDR> Getting back to my original discussion with Anton- would you
>     PDR> accept patches in this area if someone wanted to have Mailman
>     PDR> "do the right thing" out of the box with passwords, or is it
>     PDR> pretty much "should be this high to admin Mailman?"
>
> DEFAULT_SEND_REMINDERS = 0 in your mm_cfg.py file.

Actually, I was thinking more of a click/send/reply interface (or maybe a 
challenge/response thing,) however it sounds like mostly that'll be in 2.1 
anyway.  Also a "force owner to change thier password" thing would be a 
good addition- I just want to know if it's worth me spending time in a 
Python book ;) 

Also, I think Anton's concern about defaults for the greater good plays 
in, chaning my config doesn't address that.  However, maybe just a 
"Mailman Security FAQ" would be a good middle step?

Thanks again,

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards