[pass] Mailman page is unencrypted HTTP
Kyle Marek-Spartz
kyle.marek.spartz at gmail.com
Fri Feb 5 18:06:52 CET 2016
Mailman passwords aren't secure anyway:
You may enter a privacy password below. This provides only mild
security, but should prevent others from messing with your
subscription. Do not use a valuable password as it will occasionally be
emailed back to you in cleartext.
Niklas Hambüchen writes:
> Hey,
>
> just signed up to the mailing list. The signup page at
>
> http://lists.zx2c4.com/mailman/listinfo/password-store
>
> is unencrypted and https seems to not work there, so my password is now
> unavoidably owned by the guy sniffing the Starbucks traffic next to me.
>
> This is not too much of a problem for me right now since I use random
> passwords for each signup, but this still feels like an unfortunate
> setup for unsuspecting/non-technical people who re-use passwords and
> just want to ask a question to this mailing list.
>
> Could the mailman config be put under https?
>
> By the way, this would also make sense for the pass website, or so that
> I can at least retreive the signing pubkey via an authenticated
> transport (of course to be sure I'd still have to validate the key
> identity). Currently there is no way for me to see whether the pass code
> I clone has integrity at all because all means to obtain or verify it
> can be trivially man-in-the-middled.
>
> Thanks!
>
>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
--
Kyle Marek-Spartz
More information about the Password-Store
mailing list