[digiKam-users] Security ?

Jonathan Kamens jik at kamens.us
Thu Mar 2 13:57:00 GMT 2023 

I would like to ask that people please stop discussing this issue on 
this list. People did not subscribe to this list to talk about GNU 
Mailman security. Herman, frankly, you should have sent your message to 
the list maintainers, not to the whole list.

I am going to presume to offer the following authoritative response in 
the hope that it will quell further discussion. I am speaking as someone 
whose profession is information security, who has maintained mail 
servers and mailing lists for more than 30 years, and who has submitted 
multiple bug reports and patches to GNU Mailman, the software which 
hosts this mailing list and generates these monthly reminder emails.

It is of course true that both storing passwords in plaintext and 
sending them out via email are considered no-no's from an information 
security point of view. Having said that, there is some important 
context to be aware of, which significantly mitigates the issue.

The first and foremost of these is that this is not a particularly 
important password. All it enables an attacker to do is mess with your 
subscription settings for a mailing list, unsubscribe you, or access the 
archive of the list if it is protected (this list's is not). Also, if 
the attacker has access to your email to get this password out of it, 
they can already do all this stuff (!!), because GNU Mailman allows you 
to authenticate via a link sent to your email address even when you 
don't know your password.

Someone else observed, correctly, that there is a risk of password 
reuse, i.e., what if you use the same password for this list and for 
other, more important services, and an attacker steals this password out 
of your email and uses it to access those other services. This is not a 
significant concern for three reasons: (1) YOU SHOULDN'T BE SHARING 
PASSWORDS BETWEEN SERVICES IF YOU CARE ABOUT SECURITY; (2) GNU Mailman 
assigns list passwords randomly to people who do not explicitly set them 
when subscribing, and most people do not explicitly set them when 
subscribing; and (3) most other services will let you do a password 
reset via email, so again, if an attacker has access to your mailbox to 
read the email with your list password, they also have access to your 
mailbox to do password resets for other services.

Someone else mentioned the possibility that admin passwords are also 
mailed out in this way. They are not; only subscriber passwords are 
mailed out.

Given all the mitigating factors described above, the authors of GNU 
Mailman decided that the convenience of sending people's passwords 
outweighed the security risk of doing so. Given that I've never actually 
heard of this causing any sort of security breach in the entire history 
of the software, history would seem to suggest that this was a 
reasonable usability/security tradeoff.

Note that GNU Mailman, the software that hosts this list, has been 
around for 23 years, and is in maintenance mode at this point (the last 
release, which was minor, was a year and a half ago). When this software 
was created the internet was a very different place and concerns about 
security were very different as well. I imagine the authors would not 
make the same choice if they were writing this software today, but given 
all the mitigating factors described above, I am not sure it is worth 
the time and effort to change the behavior in the existing software now, 
especially since the reminders can be turned off by admins at the site 
or list level if they are worried about this.

In addition, the reminders for individual users can be turned off by the 
users themselves, so if this concerns you or you just find the emails 
annoying, you can log into the Mailman web interface for the list and 
disable them.

Regards,

Jonathan Kamens

On 3/1/23 05:25, Herman Callens wrote:
>
> I got this mail today (see below signature) to remind me about my 
> mailing list membership.
>
> I am *very* worried about the fact that my password is included in 
> this mail. This means that there is a real technological and 
> organisational security-problem in you mailing-system en organisation.
>
> Herman Callens
>
> Welvaartstraat 77
>
> 2530 Boechout
>
> M. herman.callens at outlook.be <mailto:herman.callens at outlook.be>
>
> G. +32 (0)478 99 99 92
>
> This is a reminder, sent out once a month, about your kde.org mailing 
> list memberships.  It includes your subscription info and how to use 
> it to change it or unsubscribe from a list.
>
> You can visit the URLs to change your membership status or 
> configuration, including unsubscribing, setting digest-style delivery 
> or disabling delivery altogether (e.g., for a vacation), and so on.
>
> In addition to the URL interfaces, you can also use email to make such 
> changes.  For more info, send a message to the '-request' address of 
> the list (for example, mailman-request at kde.org 
> <mailto:mailman-request at kde.org>) containing just the word 'help' in 
> the message body, and an email message will be sent to you with 
> instructions.
>
> If you have questions, problems, comments, etc, send them to 
> mailman-owner at kde.org <mailto:mailman-owner at kde.org>.  Thanks!
>
> Passwords for callens.herman at telenet.be 
> <mailto:callens.herman at telenet.be>:
>
> List Password // URL
>
> ---- --------
>
> digikam-users at kde.org <mailto:digikam-users at kde.org>xxxxxxxxxxxxxxxxxx
>
> https://mail.kde.org/mailman/options/digikam-users/callens.herman%40telenet.be 
> <https://mail.kde.org/mailman/options/digikam-users/callens.herman%40telenet.be>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/digikam-users/attachments/20230302/c15b73fb/attachment.htm>

More information about the Digikam-users mailing list