[Mailman-Users] How hard is it to spoof an email?
Brad Knowles
brad at stop.mail-abuse.org
Mon Jan 30 01:59:33 CET 2006
At 4:50 PM -0500 2006-01-29, Jp Possenti wrote:
> So basically what you are saying is that Mailman is very insecure? (in
> short)
No, not Mailman. At least, not Mailman per se. No, *ALL* SMTP
e-mail is inherently insecure -- unless you add stuff to it to make
it secure. HTTP is inherently insecure for the web, which is why you
use SSL to encrypt the connection and make it safe to transmit
sensitive information.
For e-mail, if you care that much about security, you would need
to encrypt every message you send to the list (e.g., using PGP), the
list software would need to de-crypt it and then re-encrypt it for
all of the list recipients.
If you're not so worried about hiding your message from prying
eyes but you still want to be certain as to who sent which message,
then you would need to add a cryptographic signature to all your
e-mail, and you would need to make sure that this signature survives
all message transit points and doesn't get munged along the way (a
common problem with mailing list managers).
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the Mailman-Users
mailing list