[security flaw] Ubuntu is a plain text offender
Chuck Peters
cp at ccil.org
Tue May 24 18:45:16 UTC 2011
On Mon, May 23, 2011 at 9:34 AM, Amedee Van Gasse
<amedee-ubuntu at amedee.be> wrote:
>> Also, why does Canonical store the mailing list passwords in plain text? I
>> use lots of different passwords so it's not a big security problem for me.
>> But I still find this one of the biggest WTFs in the Mailman software.
>>
>> I might even file a bug report. Or add to the already existing bug report:
>> https://bugs.launchpad.net/mailman/+bug/266821
>
> I just added my comments to the bug report.
>
> Next I'm going to submit Ubuntu to the website that showcases plain text
> offenders: http://plaintextoffenders.com
>
> Ubuntu should stop using an insecure version of Mailman. Now.
Insecure? If you are that concerned about plain text passwords being
emailed to you I suggest you run your own mail server and require the smtp
transactions use TLS. I think the Canonical and Ubuntu people that
administrate the mail servers make reasonable choices for keeping the
information secure. I would be very surprised if they run mailman on a server
with untrusted users having access to unencrypted passwords.
Personally I am more concerned about sites like plaintextoffenders.com that
use quantserve.com to track us. A site attempting to educate people about
passwords should not be sharing who visits the site with anyone in my
opinion.
Recently I helped someone with installing and updating TurboTax and the
during the update I checked on what the update was, which led to a link at
intuit with tracking from facebook included. A serious breach of trust for
something like tax software!
Chuck
More information about the ubuntu-users
mailing list