[sf-lug] Yes, Mailman stores and sends the passwords in the clear: Re: Anyone here had any contact with Linu xChix.org?

[Rick Moen]

Quoting Akkana Peck (akkana at shallowsky.com):

> I always wondered that, and the best scenario I came up with was:
> user is reading mail via an unencrypted connection on an open or
> compromised network, someone is eavesdropping on the POP/IMAP
> connection, steals user's credentials, logs in to mailman server,
> changes the email address and then posts some kind of incriminating
> or embarrassing message masquerading as the user.

Users have no per-subscriber facility to change their subscription e-mail
addresses.  So no.  Can't.

A user may unsubscribe one address and subscribe another, as two
separate operations.  The first operation entails a confirmation
three-way handshake to the incumbent e-mail address. The second entails
a confirmation three-way handshake to the new e-mail address.

Nothing stops Moriarty the Napoleon of Crime, if he's really bored one
day, from registering a throwaway e-mail address at GMail with realname
field Akkana Peck and then leveraging that throwaway mailbox to register
it to sf-lug at linuxmafia.com mailing list and posting goofy mails
designed to make you look bad by association.  But note that this
annoying stunt (a frogery,
http://linuxmafia.com/~rick/lexicon.html#frogery) basically cannot be
prevented by any mailing list manager software, even in theory.


> Maliciously posting spoofed mails sounds more likely. 

Fine, go on, how specifically?

Clue:  Can't.


> It would most  likely be discovered quickly....

Even more likely, you just haven't thought the threat model through.

> On the other hand, password reset isn't hard to implement, so
> it's not like there's any need to send out cleartext passwords.

Actually, I've already listed two functional advantages that have
nothing to do with password resets, but of course I don't speak for
Mailman's developers, so for further information if so moved I suggest
you talk to them.