Re: Mailing list reminder: password is sent in the clear
Log-in at [1] and remove the option to send a monthly password remainder? *Get password reminder email for this list?* Once a month, you will get an email containing a password reminder for every list at this host to which you are subscribed. You can turn this off on a per-list basis by selecting /No/ for this option. If you turn off password reminders for all the lists you are subscribed to, no reminder email will be sent to you. [1] https://mail.mozilla.org/options/es-discuss Can this be fixed? I've already sent feedback, but didn't get a response. Preferably, passwords would also be encrypted for storage. -- Dr. Axel Rauschmayer axel at rauschma.de https://mail.mozilla.org/listinfo/es-discuss twitter.com/rauschma Home: rauschma.de Blog: 2ality.com ___ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
Re: Mailing list reminder: password is sent in the clear
That’s a good start, thanks. Still find it a bit scary that there’s no encryption. On Jul 1, 2011, at 16:07 , André Bargull wrote: Log-in at [1] and remove the option to send a monthly password remainder? Get password reminder email for this list? Once a month, you will get an email containing a password reminder for every list at this host to which you are subscribed. You can turn this off on a per-list basis by selecting No for this option. If you turn off password reminders for all the lists you are subscribed to, no reminder email will be sent to you. [1] https://mail.mozilla.org/options/es-discuss Can this be fixed? I’ve already sent feedback, but didn’t get a response. Preferably, passwords would also be encrypted for storage. -- Dr. Axel Rauschmayer axel at rauschma.de twitter.com/rauschma Home: rauschma.de Blog: 2ality.com -- Dr. Axel Rauschmayer a...@rauschma.de twitter.com/rauschma Home: rauschma.de Blog: 2ality.com ___ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
Re: Mailing list reminder: password is sent in the clear
What can someone do with that password, though? Just change your subscription settings, afaik, so the security in place seems proportionate. Could report it upstream to the mailman team, I suppose. Mike On Jul 1, 2011 10:09 AM, Axel Rauschmayer a...@rauschma.de wrote: That’s a good start, thanks. Still find it a bit scary that there’s no encryption. On Jul 1, 2011, at 16:07 , André Bargull wrote: Log-in at [1] and remove the option to send a monthly password remainder? Get password reminder email for this list? Once a month, you will get an email containing a password reminder for every list at this host to which you are subscribed. You can turn this off on a per-list basis by selecting No for this option. If you turn off password reminders for all the lists you are subscribed to, no reminder email will be sent to you. [1] https://mail.mozilla.org/options/es-discuss Can this be fixed? I’ve already sent feedback, but didn’t get a response. Preferably, passwords would also be encrypted for storage. -- Dr. Axel Rauschmayer axel at rauschma.de twitter.com/rauschma Home: rauschma.de Blog: 2ality.com -- Dr. Axel Rauschmayer a...@rauschma.de twitter.com/rauschma Home: rauschma.de Blog: 2ality.com ___ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
Re: Mailing list reminder: password is sent in the clear
2011/7/1 Mike Shaver mike.sha...@gmail.com: What can someone do with that password, though? Just change your subscription settings, afaik, so the security in place seems proportionate. Could report it upstream to the mailman team, I suppose. Use it to do a better job of impersonating. Try it out on other sites. ___ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
Re: Mailing list reminder: password is sent in the clear
On Fri, Jul 1, 2011 at 2:30 PM, Mike Samuel mikesam...@gmail.com wrote: 2011/7/1 Mike Shaver mike.sha...@gmail.com: What can someone do with that password, though? Just change your subscription settings, afaik, so the security in place seems proportionate. Could report it upstream to the mailman team, I suppose. Use it to do a better job of impersonating. Try it out on other sites. I don't understand how you could impersonate better, could you explain? You can send mail with any From: you want without bothering to go through someone's mailman account, and you can't even send mail from the mailman interface! Since mailman passwords are randomly generated at subscription time (and virtually never changed), password reuse is pretty unlikely. Mike ___ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
Re: Mailing list reminder: password is sent in the clear
2011/7/1 Mike Shaver mike.sha...@gmail.com: On Fri, Jul 1, 2011 at 2:30 PM, Mike Samuel mikesam...@gmail.com wrote: 2011/7/1 Mike Shaver mike.sha...@gmail.com: What can someone do with that password, though? Just change your subscription settings, afaik, so the security in place seems proportionate. Could report it upstream to the mailman team, I suppose. Use it to do a better job of impersonating. Try it out on other sites. I don't understand how you could impersonate better, could you explain? You can send mail with any From: you want without bothering to go through someone's mailman account, and you can't even send mail from the mailman interface! Since mailman passwords are randomly generated at subscription time (and virtually never changed), password reuse is pretty unlikely. Can't a mailman account holder associate a public key with a mailman instance? Obviously, few email recipients check public keys, but to the degree that mailman facilitates public key exchange and signed email, being able to change a public key means being able to impersonate. ___ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
Re: Mailing list reminder: password is sent in the clear
On Fri, Jul 1, 2011 at 2:50 PM, Mike Samuel mikesam...@gmail.com wrote: 2011/7/1 Mike Shaver mike.sha...@gmail.com: On Fri, Jul 1, 2011 at 2:30 PM, Mike Samuel mikesam...@gmail.com wrote: 2011/7/1 Mike Shaver mike.sha...@gmail.com: What can someone do with that password, though? Just change your subscription settings, afaik, so the security in place seems proportionate. Could report it upstream to the mailman team, I suppose. Use it to do a better job of impersonating. Try it out on other sites. I don't understand how you could impersonate better, could you explain? You can send mail with any From: you want without bothering to go through someone's mailman account, and you can't even send mail from the mailman interface! Since mailman passwords are randomly generated at subscription time (and virtually never changed), password reuse is pretty unlikely. Can't a mailman account holder associate a public key with a mailman instance? Not in stock mailman (http://www.gnu.org/s/mailman/features.html), but there is a fork which permits it, I think. Mike ___ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss