[Mono-list] plaintextoffenders

edward.harvey.mono edward.harvey.mono at clevertrove.com
Wed Jan 2 13:16:48 UTC 2013 

> From: mono-list-bounces at lists.ximian.com [mailto:mono-list-
> bounces at lists.ximian.com] On Behalf Of Daniel Hughes
> 
> Just letting you guys know that your now famous on plain text offenders.
> 
> http://plaintextoffenders.com/post/38287749792/ximian-com-software-
> developers-gnu-mailman-sends
> 
> It should be noted that this is not directly mono's fault, but rather is the
> result of using gnu mailman (who have sat on this bug for years)

Of course, if a 3rd party intercepts the mail in-transit and recovers that password, they can login to the mailman web interface and impersonate you on the mailing list, change your mailman mail delivery preferences, or worse yet, completely unsubscribe you.  Such actions really should only be possible with something like a confirmation email that you need to reply to or click a special link...  But then again ... mailman is for mail delivery.  So if the attacker can intercept your mail in-transit ... heheheh  I guess they can do that anyway, and the real problem is not them discovering your password, but the fact that they can intercept your mail.

Suppose there's a password reset link, which generates a confirmation email to you with a special link or one-time random password... If an attacker can intercept your mail ... well ... guess what.

The *real* real problem here is people who use the same password on mailman as they do anywhere else.  Personally, when I subscribe to mailman, I accept whatever randomly generated password the system creates, and I never look at it and never use it, because it's useless.  If I want to login to mailman, I can always click the "I forgot my password" link and have them email me a confirmation.  So I don't care who intercepts my random password.  

The only real problem is if the user selects their own password and it matches something somewhere else.

I kinda like the plaintext password being mailed around, to *encourage* people to stop reusing their passwords on different sites. hehehehe

More information about the Mono-list mailing list