[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] misconfigured mailing list (mailman software) for torproject discloses passwords in plaintext (stores too?)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] misconfigured mailing list (mailman software) for torproject discloses passwords in plaintext (stores too?)
From: Roger Dingledine <arma@xxxxxxx>
Date: Fri, 9 Nov 2012 18:41:06 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 09 Nov 2012 18:41:16 -0500
In-reply-to: <A10118A9-754D-415A-B52D-0AF4FE0806B1@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <A10118A9-754D-415A-B52D-0AF4FE0806B1@xxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.20 (2009-06-14)

On Fri, Nov 09, 2012 at 06:09:36PM -0500, Matthew Fisch wrote:
> I used a unique random password for this mailing list, I'm going to
>guess however a significant portion of the mailing list either uses this
>password in other locations, a significant subset of them probably can't
>trust their mailbox to be secure.

I won't use the phrase "industry standard mailing list software" because
I hate it when other people use that phrase. But really, this is how
every free-software mailing list system works these days.

I'd be surprised if more than a trivial number of users on the Tor
lists picked a password at all. Typically people just let it choose
a random password for them, and it's nice to have that reminder sent
monthly because nobody ever knows their list password (for good reason --
there's barely a need to have a password for a mailing list subscription
in the first place).

Maybe we should find a way to wrestle it into not letting you pick a
password for yourself?

--Roger

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] misconfigured mailing list (mailman software) for torproject discloses passwords in plaintext (stores too?)
  - From: Asheesh Laroia

References:
- [tor-talk] misconfigured mailing list (mailman software) for torproject discloses passwords in plaintext (stores too?)
  - From: Matthew Fisch

Prev by Author: Re: [tor-talk] Unsigned Mac OS X binary for TorBrowser
Next by Author: [tor-talk] please test the new obfsproxy bridge debian/ubuntu directions
Previous by thread: [tor-talk] misconfigured mailing list (mailman software) for torproject discloses passwords in plaintext (stores too?)
Next by thread: Re: [tor-talk] misconfigured mailing list (mailman software) for torproject discloses passwords in plaintext (stores too?)
Index(es):
- Author
- Thread