[Mailman-Developers] [Fwd: [vendor-sec] Weak
auto-generated passwords in Mailman]
JC Dill
lists05 at equinephotoart.com
Wed Dec 22 21:07:25 CET 2004
Florian Weimer wrote:
>Last time I checked, Mailman lables its member-only archives
>"private", and the implicit promise to keep things posted to the list
>private is not kept if the software assigns easily guessed to new
>members.
>
>I can only repeat that Mailman's current behavior surprises your users
>*a* *lot*,
>
I disagree.
So called "private" archives are only kept from prying eyes until those
eyes subscribe at which time they are then visible. As I see it, the
point of Mailman's security measures is not to keep anyone "else" from
ever viewing the archives, it is to keep random web browsers and web
spiders from accessing the archives. If someone has the ability to
script a password guessing algorithm to try to guess an acceptable
username/password pair to access the archives, they can more easily
script a program to subscribe, confirm, and then access the archives as
a subscriber. Plus, no matter how simple or secure the password, if you
are scripting a password cracker then it's just a matter of time, the
more easily guessed password is cracked *faster* (on average) but even
"secure" passwords will be cracked eventually.
If your mailing list archives need greater security than this, then you
need a different system. I don't think it is necessary or useful for
Mailman to be the system that meets those needs, especially at the cost
of making Mailman less useful for others who don't need such strong
security measures for their list archives.
>and leads to security breaches.
>
I would love to see a cite for your claim of "leads to security
breaches". Do you know of actual cases where someone has gained access
to private archives by cracking a mailman generated semi-random password
rather than by simply subscribing, or by gaining access to a single
password thru intercept or social engineering means?
jc
More information about the Mailman-Developers
mailing list