[Mailman-Users] Re: cleartext passwords

J C Lawrence claw at kanga.nu
Mon Oct 2 20:11:32 CEST 2000 

On Mon, 2 Oct 2000 11:27:55 -0400 
Tom Neff <tneff at bigfoot.com> wrote:

> I do NOT think that cleartext passwords should be mailed out en
> masse as part of a monthly reminder cycle.  That is, over time,
> going to degrade security and user confidence in the product.

There are several conflicting problems here:

  1) Security for sensitive lists and list settings
  2) Ease of use for neophyte and cavalier users
  3) Barrier to entry for users

Currently Mailman defaults to making things easy for casual and
neophyte users, making Mailman lists easy to approach and use, and
places a small lock on the gate to deter casual attacks.  Bigger
locks, and more rigorous systems would demand compromises in ease of
use, and barriers to entry for list use.  Less rigorous systems than
mailman of course abound.

A more telling question:

  Are you running Mailman under SSL?  

  Why not?  "Anybody" could snoop your user's passwords off the wire
  as they authenticate.

  Are you doing SSL client key authentication?  

  Why not?  "Anybody" could claim to be that user and not be.

The first question is actually serious.  Are you running the Mailman
CGIs under SSL?  Do you have an SSL key signed by a known/trusted CA
(ie not SnakeOil)?

  ObNote: Carefyl web watchers will note that I'm using a SnakeOil
SLL cert at Kanga.Nu.  Yes, its open to man-in-the-middle attacks.
However, it also is a minor but effective dissuasion to casual
attacks -- which is about all Mailman promises in the first place.

Security is not a game of absolutes.  Its a game of intelligent
assessment of risks and of the costs of assuaging those risks.
Mailman makes the choice that "something is better than nothing, but
anything more is just not worth it".  Its a fair position.  Its
better than the typical wide-open list servers, but not as good as
say RSA key authentication.

Its also more annoying to use than wide-open list servers, and far
easier to use and remember than RSA key authentication (What?  I
have to track *ANOTHER* key pair?)

How difficult do you want your services to be to use?

> Passwords should only be sent in response to an explicit user
> request.  

Mailman is of course configurable to do this.

> The monthly reminder (which is a trifle annoying - I now get a
> flock of them every first on the month) should, at most, contain a
> URL for the user profile page, which includes a button to request
> an emailed password if the user has forgotten it.

As a list owner I like them for the simplest of reasons:

  Every month, just after the reminders go out, I get a rash of
  unsubscribes.  

I like this.  It keeps my subscriber bases clean and gives me a
(more) accurate tally of my membership base.

As a list member, well, procmail is my friend.

-- 
J C Lawrence                                 Home: claw at kanga.nu
---------(*)                               Other: coder at kanga.nu
http://www.kanga.nu/~claw/        Keys etc: finger claw at kanga.nu
--=| A man is as sane as he is dangerous to his environment |=--

More information about the Mailman-Users mailing list