<[log in to unmask]> wrote:
>> What does this trend portend for Listserv?  Is there a need for Listserv to
>> start using encryption procedures to protect itself and those using it?
>
Stan Horwitz <[log in to unmask]> responded:
>Thus far, Listserv has remained immuned from hacking attempts. [ ... ]

Listserv (with the 2000b patches/etc) seems all fine and dandy as far as
anyone's been able to prove, but that doesn't mean the lists it holds are
necessarily immune.

Take, for instance, a list owner that is behind an ISP or host that is
cracked and had network sniffers put in by the black-hats (or more likely
script kiddies).  If they do a list-owner operation with their personal
password, their list is now completely vulnerable.

I do have a few list owners (and me) that would like to use the cgi/wa web
management interface via SSL (https) rather than unprotected http (since
new password verification is the only that will be mailed to the end user,
it can be made so that it never flies in the clear).  From my testing, it
looks like wa notes the HTTP_PORT, and writes some responses and redirects
some requests that come in on https://server.name/ to http://server.name:443/
which is guaranteed not to work.  Getting that cleaned up (and I'll submit
an RFE when I re-locate the right address to send to) would make a few of
us happier with trusting the end-to-end security.


-philip

--
Philip Kizer
USENIX Liaison to Texas A&M University       <[log in to unmask]>
Texas A&M CIS Operating Systems Group, Unix <[log in to unmask]>