[147448] in cryptography@c2.net mail archive
Re: [Cryptography] Why is emailing me my password?
daemon@ATHENA.MIT.EDU (Markus Wanner)
Wed Oct 2 10:26:38 2013
X-Original-To: cryptography@metzdowd.com
Date: Wed, 02 Oct 2013 09:58:14 +0200
From: Markus Wanner <markus@bluegap.ch>
To: Greg <greg@kinostudios.com>
In-Reply-To: <F63B5870-F5E6-4787-9141-878E759D01D7@kinostudios.com>
Cc: Nick <cryptography-list@njw.me.uk>, John Ioannidis <ji@tla.org>,
=?ISO-8859-1?Q?Lodewijk_andr=E9_de_la_porte?= <l@odewijk.nl>,
"cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 10/02/2013 12:03 AM, Greg wrote:
> Running a mailing list is not hard work. There are only so many things
> one can fuck up. This is probably one of the biggest mistakes that can
> be made in running a mailing list, and on a list that's about software
> security. It's just ridiculous.
While I agree in principle, I don't quite like the tone here. But I
liked your password, though. ;-)
And no: there certainly are bigger mistakes an admin of a mailing list
can do. Think: members list, spam, etc..
> A mailing list shouldn't have any passwords to begin with. There is no
> need for passwords, and it shouldn't be possible for anyone to
> unsubscribe anyone else.
>
> User: Unsubscribe [EMAIL] -> Server
> Server: Are you sure? -> [EMAIL]
> User@[EMAIL]: YES! -> Server.
>
> No passwords, and no fake unsubscribes.
For that to be as secure as you make it sound, you still need a password
or token. Hopefully a one-time, randomly generated one, but it's still a
password. And it still crosses the wires unencrypted and can thus be
intercepted by a MITM.
The gain of that approach really is that there's no danger of a user
inadvertently revealing a valuable password.
The limited life time of the OTP may also make it a tad harder for an
attacker, but given the (absence of) value for an attacker, that's close
to irrelevant.
Regards
Markus Wanner
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
