ietf
[Top] [All Lists]

Re: mailing list memberships reminder -> passwords in the clear

2012-11-03 10:25:23
Sabahattin,

Thanks for the detailed info.

I've been getting passwords mailed to me monthly for years. Someone pointed out the disable option just yesterday.

So I've selected the option, but that's hardly the point: the option should default to OFF and not be enable-able so passwords are never sent in the clear.

I find it hard to understand that this is acceptable to the IETF.

Thanks,
P.


On 1 Nov 2012, at 20:20, Paul Aitken <paitken(_at_)cisco(_dot_)com> wrote:
Why does the "mailing list memberships reminder" send passwords in the clear?
Because mailman is brain-dead stupid.  See:
http://www.jwz.org/doc/mailman.html

Sadly, and despite my best efforts to find alternative mailing list software, mailman 
wins on popularity (ugh) and hence support with practically no competition.  Only 
majordomo2, which has been unmaintained for a while now (and it's author calls it 
"Dead" holds much of a chance, but I doubt it would work for the IETF in its 
current condition.

But have hope!  The IETF serves the mailman interface over TLS, and it is an 
option that you can exercise *not* to have passwords mailed to you.  Go to your 
membership options page, and in the group containing the option to turn off the 
membership reminders, check the checkbox to make it global.  Later, you can 
have the password mailed to you on demand, or unsubscribe without needing a 
password at all (email confirmation loop).

For everything else I'm subscribed to, if I forget my details, one click sends 
a one-time password-reset link.
Passwords are never mailed out, and never shown.
Yes.  Sadly this isn't possible with mailman; you will always be mailed your 
password if you need it and can't remember it.

HTH.

Cheers,
Sabahattin