[pass] Mailman page is unencrypted HTTP

Kyle Marek-Spartz kyle.marek.spartz at gmail.com
Fri Feb 5 18:06:52 CET 2016

Mailman passwords aren't secure anyway:

 You may enter a privacy password below. This provides only mild
 security, but should prevent others from messing with your
 subscription. Do not use a valuable password as it will occasionally be
 emailed back to you in cleartext.

Niklas Hambüchen writes:

> Hey,
> just signed up to the mailing list. The signup page at
>   http://lists.zx2c4.com/mailman/listinfo/password-store
> is unencrypted and https seems to not work there, so my password is now
> unavoidably owned by the guy sniffing the Starbucks traffic next to me.
> This is not too much of a problem for me right now since I use random
> passwords for each signup, but this still feels like an unfortunate
> setup for unsuspecting/non-technical people who re-use passwords and
> just want to ask a question to this mailing list.
> Could the mailman config be put under https?
> By the way, this would also make sense for the pass website, or so that
> I can at least retreive the signing pubkey via an authenticated
> transport (of course to be sure I'd still have to validate the key
> identity). Currently there is no way for me to see whether the pass code
> I clone has integrity at all because all means to obtain or verify it
> can be trivially man-in-the-middled.
> Thanks!
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store

Kyle Marek-Spartz

More information about the Password-Store mailing list