[tor-talk] misconfigured mailing list (mailman software) for torproject discloses passwords in plaintext (stores too?)
Asheesh Laroia
asheesh at asheesh.org
Sun Nov 11 02:48:53 UTC 2012
Excerpts from Roger Dingledine's message of Fri Nov 09 18:41:06 -0500 2012:
> On Fri, Nov 09, 2012 at 06:09:36PM -0500, Matthew Fisch wrote:
> > I used a unique random password for this mailing list, I'm going to
> >guess however a significant portion of the mailing list either uses this
> >password in other locations, a significant subset of them probably can't
> >trust their mailbox to be secure.
>
> I won't use the phrase "industry standard mailing list software" because
> I hate it when other people use that phrase. But really, this is how
> every free-software mailing list system works these days.
>
> I'd be surprised if more than a trivial number of users on the Tor
> lists picked a password at all. Typically people just let it choose
> a random password for them, and it's nice to have that reminder sent
> monthly because nobody ever knows their list password (for good reason --
> there's barely a need to have a password for a mailing list subscription
> in the first place).
>
> Maybe we should find a way to wrestle it into not letting you pick a
> password for yourself?
What I've done for this is to simply remove the password fields from the
form. Then it autoassigns you a password.
You can see that here: http://lists.acm.jhu.edu/mailman/listinfo/acm
(Viewing the source, I see what I did instead was to put it in an HTML
comment.)
I brought that trick with me to other domains, e.g.
http://lists.openhatch.org/mailman/listinfo/devel
Contrast with e.g.
https://mail.gnome.org/mailman/listinfo/asia-summit-list where the
password form is visible.
It's fairly simple edit to the default mailman template, as I recall,
and these changes I made have successfully stuck around across upgrades
and more.
Users will still need to use the list password to do things like change
one's email address on the list and a few other obscure things. My hack
is just a UI fix that papers over the deep insanity of Mailman
passwords, and I rank it quite high for cost-effectiveness. So please
consider it! I hope it fits y'all's needs.
-- Asheesh.
More information about the tor-talk
mailing list