Even so, with free certificates available from letsencrypt, there's no reason not to use https. Still, I'd suggest making the message telling people not to use a good password more attention-getting.
On Fri, Feb 5, 2016 at 12:06 PM, Kyle Marek-Spartz <[email protected]> wrote: > Mailman passwords aren't secure anyway: > > You may enter a privacy password below. This provides only mild > security, but should prevent others from messing with your > subscription. Do not use a valuable password as it will occasionally be > emailed back to you in cleartext. > > Niklas Hambüchen writes: > >> Hey, >> >> just signed up to the mailing list. The signup page at >> >> http://lists.zx2c4.com/mailman/listinfo/password-store >> >> is unencrypted and https seems to not work there, so my password is now >> unavoidably owned by the guy sniffing the Starbucks traffic next to me. >> >> This is not too much of a problem for me right now since I use random >> passwords for each signup, but this still feels like an unfortunate >> setup for unsuspecting/non-technical people who re-use passwords and >> just want to ask a question to this mailing list. >> >> Could the mailman config be put under https? >> >> By the way, this would also make sense for the pass website, or so that >> I can at least retreive the signing pubkey via an authenticated >> transport (of course to be sure I'd still have to validate the key >> identity). Currently there is no way for me to see whether the pass code >> I clone has integrity at all because all means to obtain or verify it >> can be trivially man-in-the-middled. >> >> Thanks! >> >> >> _______________________________________________ >> Password-Store mailing list >> [email protected] >> http://lists.zx2c4.com/mailman/listinfo/password-store > > > -- > Kyle Marek-Spartz > _______________________________________________ > Password-Store mailing list > [email protected] > http://lists.zx2c4.com/mailman/listinfo/password-store _______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
