Questions about new mailing lists setup on common-lisp.net

Erik Huelsmann ehuels at gmail.com
Fri Apr 26 20:16:39 UTC 2013


On Thu, Apr 25, 2013 at 8:07 PM, Erik Huelsmann <ehuels at gmail.com> wrote:

>
>>> >  From what I understand now there is no password associated
>>>      with a subscription to a list, nor is there any password
>>>      associated with the owner/admin role of a list.
>>>
>>> Can you tell me what you have read that makes it seem like very very
>>> insecure? Also, what are you talking about "password associated
>>>      with ..."?
>>>
>>> > Am I wrong
>>> in believing that now someone simply has to send emails
>>> with a forged From: field to hijack control of the list/subscription?
>>>
>>> Well, what made you believe that? Is there a simple way that folks can
>>> easily hijack a list over email?
>>>
>>> As far as I know, it was audited by a company that worries about such
>>> things, http://mlmmj.org/docs/readme-security/ , and does not have a
>>> problem... can you please show me how/where/when you are able to hijack a
>>> list? mlmmj-test at common-lisp.net is a great place to start, and please
>>> feel free to hijack it.
>>>
>>> Let me know if I have answered all the questions, and let me know the
>>> security holes you have discovered.
>>>
>>>  -- drewc
>>>
>>>
>> Indeed you have answered all the questions I asked and this does clarify
>> the current situation.
>>
>
> You did write comments on each of his questions, but could you explain how
> you think mlmmj addresses the security risks put forward regarding
> establishing sender identity related to e-mail? I'm not finding an answer
> to that in your comments. (The fact that the software doesn't contain any
> security glitches doesn't mean its authentication model is flawless, so the
> pointer to the security readme isn't the answer I'm looking for.)
>

Drew responded to me off-list over IM yesterday. The summary of the
reaction is: every moderation request uses a unique and randomly generated
reply-to address, making it hard(er) to just spoof admin mails.


Bye,


Erik.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/clo-devel/attachments/20130426/26dec612/attachment.html>


More information about the clo-devel mailing list