[Mailman-Developers] [Fwd: [vendor-sec] Weak auto-generated passwords in Mailman]

[JC Dill]

Florian Weimer wrote:

>Last time I checked, Mailman lables its member-only archives
>"private", and the implicit promise to keep things posted to the list
>private is not kept if the software assigns easily guessed to new
>members.
>
>I can only repeat that Mailman's current behavior surprises your users
>*a* *lot*, 
>
I disagree. 

So called "private" archives are only kept from prying eyes until those 
eyes subscribe at which time they are then visible.  As I see it, the 
point of Mailman's security measures is not to keep anyone "else" from 
ever viewing the archives, it is to keep random web browsers and web 
spiders from accessing the archives.  If someone has the ability to 
script a password guessing algorithm to try to guess an acceptable 
username/password pair to access the archives, they can more easily 
script a program to subscribe, confirm, and then access the archives as 
a subscriber.  Plus, no matter how simple or secure the password, if you 
are scripting a password cracker then it's just a matter of time, the 
more easily guessed password is cracked *faster* (on average) but even 
"secure" passwords will be cracked eventually. 

If your mailing list archives need greater security than this, then you 
need a different system.  I don't think it is necessary or useful for 
Mailman to be the system that meets those needs, especially at the cost 
of making Mailman less useful for others who don't need such strong 
security measures for their list archives.

>and leads to security breaches.
>
I would love to see a cite for your claim of "leads to security 
breaches".  Do you know of actual cases where someone has gained access 
to private archives by cracking a mailman generated semi-random password 
rather than by simply subscribing, or by gaining access to a single 
password thru intercept or social engineering means?

jc