[blag-whereto] password security policy

beloumi beloumi at riseup.net
Fri Jul 24 12:24:04 UTC 2015


Am 24.07.2015 um 00:08 schrieb Abdur-Rahman Morgan:
> beloumi,
>
> Thanks for pointing this out. The current mailing list for blag is
> located at lists.blagblagblag.org but the same issue would still
> remain true for both mail and http logins.
>
> I'll look into Securing Mailman's web GUI by using Secure HTTP/SSL[0]
> and An encrypted mailing list with Mailman, Exim and Gnupg on Debian
> GNU/Linux[1].
>
> Thank you,
>
> Abdur-Rahman
>
>
> [0]http://wiki.list.org/DOC/4.27%20Securing%20Mailman%27s%20web%20GUI%20by%20using%20Secure%20HTTP-SSL
>
>
> [1]http://www.raphinou.com/smailman/smailman.html
>
Hi Abdur-Rahman,

nice to see, that there is a quick response to security issues.

I have seen, this as an old and well known security hole in Mailman
since 2006:
https://bugs.launchpad.net/mailman/+bug/266821
http://plaintextoffenders.com/post/38287749792/ximian-com-software-developers-gnu-mailman-sends

A move to Mailman 3 seems to solve the problem:
http://wiki.list.org/DOC/How%20do%20I%20turn%20off%20passwords%20completely%3F
" In Mailman 3, passwords are both stored in hashed form (i.e. /*not*/
clear text) and the monthly reminder feature has been removed. "
If the default password hash is really "salted sha512", I would strongly
recommend to replace it. I'm wondering why they have chosen such an
insecure default. I took a short look at GNU Mailman and I found there
are several password hashing schemes available. Unfortunately there is
no Scrypt, but Bcrypt is available.

HTTPS would be nice, but I think this is not as necessary as avoiding
this password policy. I think it is generally a bad practice to send
passwords anywhere whether hashed/encrypted or not and Mailman 3 does
not do it now.

I hope this helps to fix the problem.

Beloumi
> On 07/23/2015 11:55 AM, beloumi wrote:
>> Hi,
>> I subscribed some minutes ago...
>> I was wondering,
>> 1. why my password was stored in plaintext
>> and
>> 2. why it was sent via mail over the net without any encryption?
>> This is a very dubious security policy...
>> Are there a reason to do so?
>> Regards
>> Beloumi
>>
>> _______________________________________________
>> blag-whereto mailing list
>> blag-whereto at lists.aktivix.org
>> https://lists.aktivix.org/mailman/listinfo/blag-whereto
>>
>
> _______________________________________________
> blag-whereto mailing list
> blag-whereto at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/blag-whereto
>




More information about the blag-whereto mailing list