[pass] Mailman page is unencrypted HTTP

Niklas Hambüchen mail at nh2.me
Fri Feb 5 17:04:00 CET 2016


just signed up to the mailing list. The signup page at


is unencrypted and https seems to not work there, so my password is now
unavoidably owned by the guy sniffing the Starbucks traffic next to me.

This is not too much of a problem for me right now since I use random
passwords for each signup, but this still feels like an unfortunate
setup for unsuspecting/non-technical people who re-use passwords and
just want to ask a question to this mailing list.

Could the mailman config be put under https?

By the way, this would also make sense for the pass website, or so that
I can at least retreive the signing pubkey via an authenticated
transport (of course to be sure I'd still have to validate the key
identity). Currently there is no way for me to see whether the pass code
I clone has integrity at all because all means to obtain or verify it
can be trivially man-in-the-middled.


More information about the Password-Store mailing list