[pass] Mailman page is unencrypted HTTP

Brian Minton brian at minton.name
Fri Feb 5 18:12:56 CET 2016


Even so, with free certificates available from letsencrypt, there's no
reason not to use https.  Still, I'd suggest making the message
telling people not to use a good password more attention-getting.

On Fri, Feb 5, 2016 at 12:06 PM, Kyle Marek-Spartz
<kyle.marek.spartz at gmail.com> wrote:
> Mailman passwords aren't secure anyway:
>
>  You may enter a privacy password below. This provides only mild
>  security, but should prevent others from messing with your
>  subscription. Do not use a valuable password as it will occasionally be
>  emailed back to you in cleartext.
>
> Niklas Hambüchen writes:
>
>> Hey,
>>
>> just signed up to the mailing list. The signup page at
>>
>>   http://lists.zx2c4.com/mailman/listinfo/password-store
>>
>> is unencrypted and https seems to not work there, so my password is now
>> unavoidably owned by the guy sniffing the Starbucks traffic next to me.
>>
>> This is not too much of a problem for me right now since I use random
>> passwords for each signup, but this still feels like an unfortunate
>> setup for unsuspecting/non-technical people who re-use passwords and
>> just want to ask a question to this mailing list.
>>
>> Could the mailman config be put under https?
>>
>> By the way, this would also make sense for the pass website, or so that
>> I can at least retreive the signing pubkey via an authenticated
>> transport (of course to be sure I'd still have to validate the key
>> identity). Currently there is no way for me to see whether the pass code
>> I clone has integrity at all because all means to obtain or verify it
>> can be trivially man-in-the-middled.
>>
>> Thanks!
>>
>>
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> http://lists.zx2c4.com/mailman/listinfo/password-store
>
>
> --
> Kyle Marek-Spartz
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store


More information about the Password-Store mailing list