<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I would like to ask that people please stop discussing this issue
on this list. People did not subscribe to this list to talk about
GNU Mailman security. Herman, frankly, you should have sent your
message to the list maintainers, not to the whole list.</p>
<p>I am going to presume to offer the following authoritative
response in the hope that it will quell further discussion. I am
speaking as someone whose profession is information security, who
has maintained mail servers and mailing lists for more than 30
years, and who has submitted multiple bug reports and patches to
GNU Mailman, the software which hosts this mailing list and
generates these monthly reminder emails.</p>
<p>It is of course true that both storing passwords in plaintext and
sending them out via email are considered no-no's from an
information security point of view. Having said that, there is
some important context to be aware of, which significantly
mitigates the issue.</p>
<p>The first and foremost of these is that this is not a
particularly important password. All it enables an attacker to do
is mess with your subscription settings for a mailing list,
unsubscribe you, or access the archive of the list if it is
protected (this list's is not). Also, if the attacker has access
to your email to get this password out of it, they can already do
all this stuff (!!), because GNU Mailman allows you to
authenticate via a link sent to your email address even when you
don't know your password.</p>
<p>Someone else observed, correctly, that there is a risk of
password reuse, i.e., what if you use the same password for this
list and for other, more important services, and an attacker
steals this password out of your email and uses it to access those
other services. This is not a significant concern for three
reasons: (1) YOU SHOULDN'T BE SHARING PASSWORDS BETWEEN SERVICES
IF YOU CARE ABOUT SECURITY; (2) GNU Mailman assigns list passwords
randomly to people who do not explicitly set them when
subscribing, and most people do not explicitly set them when
subscribing; and (3) most other services will let you do a
password reset via email, so again, if an attacker has access to
your mailbox to read the email with your list password, they also
have access to your mailbox to do password resets for other
services.</p>
<p>Someone else mentioned the possibility that admin passwords are
also mailed out in this way. They are not; only subscriber
passwords are mailed out.</p>
<p>Given all the mitigating factors described above, the authors of
GNU Mailman decided that the convenience of sending people's
passwords outweighed the security risk of doing so. Given that
I've never actually heard of this causing any sort of security
breach in the entire history of the software, history would seem
to suggest that this was a reasonable usability/security tradeoff.<br>
</p>
<p>Note that GNU Mailman, the software that hosts this list, has
been around for 23 years, and is in maintenance mode at this point
(the last release, which was minor, was a year and a half ago).
When this software was created the internet was a very different
place and concerns about security were very different as well. I
imagine the authors would not make the same choice if they were
writing this software today, but given all the mitigating factors
described above, I am not sure it is worth the time and effort to
change the behavior in the existing software now, especially since
the reminders can be turned off by admins at the site or list
level if they are worried about this.<br>
</p>
<p>In addition, the reminders for individual users can be turned off
by the users themselves, so if this concerns you or you just find
the emails annoying, you can log into the Mailman web interface
for the list and disable them.</p>
<p>Regards,</p>
<p>Jonathan Kamens<br>
</p>
On 3/1/23 05:25, Herman Callens wrote:<br>
<blockquote type="cite"
cite="mid:AM9P194MB1297A1A0FF7440484E249031F3AD9@AM9P194MB1297.EURP194.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Tekst zonder opmaak Char";
margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}span.E-mailStijl17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}span.TekstzonderopmaakChar
{mso-style-name:"Tekst zonder opmaak Char";
mso-style-priority:99;
mso-style-link:"Tekst zonder opmaak";
font-family:"Calibri",sans-serif;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-GB">I got this mail today
(see below signature) to remind me about my mailing list
membership.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">I am <b>very</b>
worried about the fact that my password is included in this
mail. This means that there is a real technological and
organisational security-problem in you mailing-system en
organisation.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:NL-BE"
lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:NL-BE">Herman
Callens <o:p>
</o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:NL-BE">Welvaartstraat
77<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:NL-BE">2530
Boechout<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:NL-BE"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:NL-BE">M.
<a href="mailto:herman.callens@outlook.be"
moz-do-not-send="true">
<span style="color:#0563C1">herman.callens@outlook.be</span></a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:NL-BE">G.
+32 (0)478 99 99 92
<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoPlainText"><span lang="EN-GB">This is a reminder,
sent out once a month, about your kde.org mailing list
memberships. It includes your subscription info and how to
use it to change it or unsubscribe from a list.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-GB">You can visit the
URLs to change your membership status or configuration,
including unsubscribing, setting digest-style delivery or
disabling delivery altogether (e.g., for a vacation), and so
on.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-GB">In addition to the
URL interfaces, you can also use email to make such
changes. For more info, send a message to the '-request'
address of the list (for example,
</span><a href="mailto:mailman-request@kde.org"
moz-do-not-send="true"><span lang="EN-GB">mailman-request@kde.org</span></a><span
lang="EN-GB">) containing just the word 'help' in the
message body, and an email message will be sent to you with
instructions.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-GB">If you have
questions, problems, comments, etc, send them to
</span><a href="mailto:mailman-owner@kde.org"
moz-do-not-send="true"><span lang="EN-GB">mailman-owner@kde.org</span></a><span
lang="EN-GB">. Thanks!<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-GB">Passwords for </span><a
href="mailto:callens.herman@telenet.be"
moz-do-not-send="true"><span lang="EN-GB">callens.herman@telenet.be</span></a><span
lang="EN-GB">:<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-GB">List
Password // URL<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-GB">----
--------
<o:p></o:p></span></p>
<p class="MsoPlainText"><a href="mailto:digikam-users@kde.org"
moz-do-not-send="true"><span lang="EN-GB">digikam-users@kde.org</span></a><span
lang="EN-GB">
<span style="color:red">xxxxxxxxxxxxxxxxxx</span><o:p></o:p></span></p>
<p class="MsoPlainText"><a
href="https://mail.kde.org/mailman/options/digikam-users/callens.herman%40telenet.be"
moz-do-not-send="true"><span lang="EN-GB">https://mail.kde.org/mailman/options/digikam-users/callens.herman%40telenet.be</span></a><span
lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
</div>
</blockquote>
</body>
</html>