[Mailman-Developers] Possible yahoogroups problem.
Nigel Metheringham
Nigel.Metheringham at dev.InTechnology.co.uk
Tue Jul 8 16:00:27 EDT 2003
On Tue, 2003-07-08 at 15:32, Barry Warsaw wrote:
> [Removing list-managers from the recipients]
You took off mailman-developers too... I've put that one back. :-)
>
> On Tue, 2003-07-08 at 08:54, Nigel Metheringham wrote:
> > Since it looks like the attacker in this case generated an initial
> > subscribe request, and then the confirmation, he will have had access to
> > the UserDesc data - after all its all from data he sent to them in the
> > subscribe request.
>
> Except that in an email request, we auto-generate the password, so
> there's a little more randomness there.
I had missed that.
> > So it comes down to how good is the output of random.random() since the
> > receipt time could be guessed within a few minutes giving a small number
> > of hundreds of seconds to work with.
>
> time.time() is a float with precision equal to the system clock
> precision, probably closer to microseconds than 100s of secs on Linux
> <wink>.
So that means to guess the subscription cookie, given a mailed
subscription, you need to guess:-
* the account password - basically a few characters of base64, so
say 2^24 (16 million)
* time.time() - so the real clock resolution over 100 seconds -
which is probably 5000 (50 (Hz) * 100) on older Linux, up to
102400 on more modern versions. [Load of assumptions here...]
call it around 2^12 being conservative
* random.random() - since its a stringified real I guess thats
probably not much better than 10^6 (say 2^20).
So that gives us around 2^56 for mailed requests, 2^32 for web requests
(password is known - and the time is known better, maybe should reduce
that by 2^7 or so).
Thats a fair amount to attack.
One thing that could be considered to protect ourselves against such
attacks if there was a way of reducing the complexity to reasonable
levels, would be to drop pending subscription requests after a couple
(think of an appropriate number) of failed cookie cracking attempts.
That of course transforms this into a denial of service attack :-(
> > > BTW, is there something we can do to prevent Mailman addresses from
> > > getting subscribed to Yahoo! or other listservs? I'd rather not
> > > hardcode in Yahoo! brain damage, so I'm looking for a more principled
> > > approach.
> >
> > List-* headers?
>
> I.e. never respond to messages with List-* headers? Probably
> Precedence: bulk|junk|list too.
Nigel.
--
[ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]
More information about the Mailman-Developers
mailing list