[pass] Mailman page is unencrypted HTTP

Asheesh Laroia asheesh at sandstorm.io
Fri Feb 5 18:04:58 CET 2016


For what it's worth, my personal preference is to modify the Mailman
template to use HTML comments to remove the password field. If people
submit no password, then Mailman generates one for them randomly, which
results in better security IMHO and better usability IMHO.

On Fri, Feb 5, 2016 at 8:04 AM, Niklas Hambüchen <mail at nh2.me> wrote:

> Hey,
>
> just signed up to the mailing list. The signup page at
>
>   http://lists.zx2c4.com/mailman/listinfo/password-store
>
> is unencrypted and https seems to not work there, so my password is now
> unavoidably owned by the guy sniffing the Starbucks traffic next to me.
>
> This is not too much of a problem for me right now since I use random
> passwords for each signup, but this still feels like an unfortunate
> setup for unsuspecting/non-technical people who re-use passwords and
> just want to ask a question to this mailing list.
>
> Could the mailman config be put under https?
>
> By the way, this would also make sense for the pass website, or so that
> I can at least retreive the signing pubkey via an authenticated
> transport (of course to be sure I'd still have to validate the key
> identity). Currently there is no way for me to see whether the pass code
> I clone has integrity at all because all means to obtain or verify it
> can be trivially man-in-the-middled.
>
> Thanks!
>
>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20160205/f95ac9cb/attachment.html>


More information about the Password-Store mailing list