[Mailman-Developers] Possible yahoogroups problem.

[Nigel Metheringham]

On Tue, 2003-07-08 at 13:36, Barry Warsaw wrote:
> I'd think that because three of the UserDesc components come directly
> from the subscribee, it would be very difficult to guess the UserDesc
> repr, /aside/ from the difficulty of guessing the random float and
> timestamp. 

Since it looks like the attacker in this case generated an initial
subscribe request, and then the confirmation, he will have had access to
the UserDesc data - after all its all from data he sent to them in the
subscribe request.

So it comes down to how good is the output of random.random() since the
receipt time could be guessed within a few minutes giving a small number
of hundreds of seconds to work with.

Which means that effectively the effort to break the subscription cookie
is 2 magnitudes (from say 100 seconds) greater than the difficulty of
just guessing the output of random.random()

>  Given sha's hash security, I'd be inclined to think we're
> safe <wink>.

sha doesn't buy too much here given that so many components are known.

> BTW, is there something we can do to prevent Mailman addresses from
> getting subscribed to Yahoo! or other listservs?  I'd rather not
> hardcode in Yahoo! brain damage, so I'm looking for a more principled
> approach.

List-* headers?

	Nigel.

-- 
[ Nigel Metheringham           Nigel.Metheringham at InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]