Hey, just signed up to the mailing list. The signup page at
http://lists.zx2c4.com/mailman/listinfo/password-store is unencrypted and https seems to not work there, so my password is now unavoidably owned by the guy sniffing the Starbucks traffic next to me. This is not too much of a problem for me right now since I use random passwords for each signup, but this still feels like an unfortunate setup for unsuspecting/non-technical people who re-use passwords and just want to ask a question to this mailing list. Could the mailman config be put under https? By the way, this would also make sense for the pass website, or so that I can at least retreive the signing pubkey via an authenticated transport (of course to be sure I'd still have to validate the key identity). Currently there is no way for me to see whether the pass code I clone has integrity at all because all means to obtain or verify it can be trivially man-in-the-middled. Thanks! _______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
